diff options
author | Stanislav Malyshev <stas@php.net> | 2015-03-17 13:20:22 -0700 |
---|---|---|
committer | Julien Pauli <jpauli@php.net> | 2015-03-18 10:38:20 +0100 |
commit | b690be4d22c9651dd99ead087d3b808f12fa68fb (patch) | |
tree | 2dda55ebadc17dc646b0bd1d7ad06fb4854b1aff | |
parent | 048e0d58bf3a30849b0f7b7c1e43e8fb9fc8b01b (diff) | |
download | php-git-b690be4d22c9651dd99ead087d3b808f12fa68fb.tar.gz |
Fixed bug #68976 - Use After Free Vulnerability in unserialize()
Conflicts:
ext/standard/var_unserializer.c
-rw-r--r-- | ext/standard/var_unserializer.c | 61 | ||||
-rw-r--r-- | ext/standard/var_unserializer.re | 1 |
2 files changed, 32 insertions, 30 deletions
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index f99ba16354..dd4e27b675 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -348,6 +348,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } + var_push_dtor(var_hash, &data); zval_dtor(key); FREE_ZVAL(key); @@ -482,7 +483,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) -#line 486 "ext/standard/var_unserializer.c" +#line 487 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -542,9 +543,9 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 837 "ext/standard/var_unserializer.re" +#line 838 "ext/standard/var_unserializer.re" { return 0; } -#line 548 "ext/standard/var_unserializer.c" +#line 549 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy89; @@ -587,13 +588,13 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 831 "ext/standard/var_unserializer.re" +#line 832 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 597 "ext/standard/var_unserializer.c" +#line 598 "ext/standard/var_unserializer.c" yy16: yych = *++YYCURSOR; goto yy3; @@ -623,7 +624,7 @@ yy20: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 685 "ext/standard/var_unserializer.re" +#line 686 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -769,7 +770,7 @@ yy20: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 773 "ext/standard/var_unserializer.c" +#line 774 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -794,7 +795,7 @@ yy27: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 677 "ext/standard/var_unserializer.re" +#line 678 "ext/standard/var_unserializer.re" { INIT_PZVAL(*rval); @@ -802,7 +803,7 @@ yy27: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 806 "ext/standard/var_unserializer.c" +#line 807 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -823,7 +824,7 @@ yy34: yych = *++YYCURSOR; if (yych != '{') goto yy18; ++YYCURSOR; -#line 657 "ext/standard/var_unserializer.re" +#line 658 "ext/standard/var_unserializer.re" { long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ @@ -843,7 +844,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 847 "ext/standard/var_unserializer.c" +#line 848 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -864,7 +865,7 @@ yy41: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 628 "ext/standard/var_unserializer.re" +#line 629 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -893,7 +894,7 @@ yy41: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 897 "ext/standard/var_unserializer.c" +#line 898 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -914,7 +915,7 @@ yy48: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 600 "ext/standard/var_unserializer.re" +#line 601 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -942,7 +943,7 @@ yy48: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 946 "ext/standard/var_unserializer.c" +#line 947 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -1030,7 +1031,7 @@ yy61: } yy63: ++YYCURSOR; -#line 590 "ext/standard/var_unserializer.re" +#line 591 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 use_double: @@ -1040,7 +1041,7 @@ use_double: ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1044 "ext/standard/var_unserializer.c" +#line 1045 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1099,7 +1100,7 @@ yy73: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 575 "ext/standard/var_unserializer.re" +#line 576 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); @@ -1114,7 +1115,7 @@ yy73: return 1; } -#line 1118 "ext/standard/var_unserializer.c" +#line 1119 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1141,7 +1142,7 @@ yy79: if (yych <= '9') goto yy79; if (yych != ';') goto yy18; ++YYCURSOR; -#line 548 "ext/standard/var_unserializer.re" +#line 549 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 int digits = YYCURSOR - start - 3; @@ -1168,7 +1169,7 @@ yy79: ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -#line 1172 "ext/standard/var_unserializer.c" +#line 1173 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1176,24 +1177,24 @@ yy83: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 541 "ext/standard/var_unserializer.re" +#line 542 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -#line 1187 "ext/standard/var_unserializer.c" +#line 1188 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; -#line 534 "ext/standard/var_unserializer.re" +#line 535 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } -#line 1197 "ext/standard/var_unserializer.c" +#line 1198 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1216,7 +1217,7 @@ yy91: if (yych <= '9') goto yy91; if (yych != ';') goto yy18; ++YYCURSOR; -#line 511 "ext/standard/var_unserializer.re" +#line 512 "ext/standard/var_unserializer.re" { long id; @@ -1239,7 +1240,7 @@ yy91: return 1; } -#line 1243 "ext/standard/var_unserializer.c" +#line 1244 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1262,7 +1263,7 @@ yy97: if (yych <= '9') goto yy97; if (yych != ';') goto yy18; ++YYCURSOR; -#line 490 "ext/standard/var_unserializer.re" +#line 491 "ext/standard/var_unserializer.re" { long id; @@ -1283,9 +1284,9 @@ yy97: return 1; } -#line 1287 "ext/standard/var_unserializer.c" +#line 1288 "ext/standard/var_unserializer.c" } -#line 839 "ext/standard/var_unserializer.re" +#line 840 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 7646667edf..28418eaaa4 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -352,6 +352,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } + var_push_dtor(var_hash, &data); zval_dtor(key); FREE_ZVAL(key); |