diff options
author | Stanislav Malyshev <stas@php.net> | 2015-04-05 17:30:59 -0700 |
---|---|---|
committer | Julien Pauli <jpauli@php.net> | 2015-04-15 10:11:43 +0200 |
commit | 1da9156e60d3d02cc4661244e40d95d5eb76b881 (patch) | |
tree | 211f0fb55ea55b0fa13aaf7facfea1dac6307600 | |
parent | 52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 (diff) | |
download | php-git-1da9156e60d3d02cc4661244e40d95d5eb76b881.tar.gz |
More fixes for bug #69152
-rw-r--r-- | Zend/zend_exceptions.c | 3 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug69152.phpt | 16 |
2 files changed, 19 insertions, 0 deletions
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c index 3d73e92c50..f163495906 100644 --- a/Zend/zend_exceptions.c +++ b/Zend/zend_exceptions.c @@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString) str = &res; trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); + if(Z_TYPE_P(trace) != IS_ARRAY) { + RETURN_FALSE; + } zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt new file mode 100644 index 0000000000..4e741685cc --- /dev/null +++ b/ext/standard/tests/serialize/bug69152.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() +--FILE-- +<?php +$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}'); +echo $x; +$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}'); +$x->test(); + +?> +--EXPECTF-- +exception 'Exception' in %s:%d +Stack trace: +#0 {main} + +Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d |