diff options
author | Stanislav Malyshev <stas@php.net> | 2015-09-01 12:51:48 -0700 |
---|---|---|
committer | Ferenc Kovacs <tyrael@php.net> | 2015-09-03 01:52:12 +0200 |
commit | a4c64d152cee3f71fd931b18ef4b8a540337ee72 (patch) | |
tree | fd9ab117d5d1bc677e4e56f8db320f260c3536a9 | |
parent | 8b218b5aa88770e5829296fb8875248cd8f11016 (diff) | |
download | php-git-a4c64d152cee3f71fd931b18ef4b8a540337ee72.tar.gz |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
More fixes for bug #70219
-rw-r--r-- | ext/pcre/php_pcre.c | 2 | ||||
-rw-r--r-- | ext/session/session.c | 7 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug70219_1.phpt | 46 |
3 files changed, 52 insertions, 3 deletions
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 36d913d4df..554693d175 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -577,7 +577,7 @@ static void php_do_pcre_match(INTERNAL_FUNCTION_PARAMETERS, int global) /* {{{ * } pce->refcount++; - php_pcre_match_impl(pce, subject, subject_len, return_value, subpats, + php_pcre_match_impl(pce, subject, subject_len, return_value, subpats, global, ZEND_NUM_ARGS() >= 4, flags, start_offset TSRMLS_CC); pce->refcount--; } diff --git a/ext/session/session.c b/ext/session/session.c index 56540ae4fc..eca1ddb4cc 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -864,7 +864,10 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ PHP_VAR_UNSERIALIZE_INIT(var_hash); ALLOC_INIT_ZVAL(session_vars); - php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC); + if (php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC)) { + var_push_dtor(&var_hash, &session_vars); + } + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); if (PS(http_session_vars)) { zval_ptr_dtor(&PS(http_session_vars)); @@ -873,7 +876,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ array_init(session_vars); } PS(http_session_vars) = session_vars; - ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1); + ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), Z_REFCOUNT_P(PS(http_session_vars)) + 1, 1); return SUCCESS; } /* }}} */ diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt new file mode 100644 index 0000000000..f9c4c672fd --- /dev/null +++ b/ext/standard/tests/serialize/bug70219_1.phpt @@ -0,0 +1,46 @@ +--TEST-- +Bug #70219 Use after free vulnerability in session deserializer +--FILE-- +<?php +ini_set('session.serialize_handler', 'php_serialize'); +session_start(); + +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + session_decode($data); + } +} + +$inner = 'r:2;'; +$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = 'hi'.$i; +} + +var_dump($data); +var_dump($_SESSION); +?> +--EXPECTF-- +array(2) { + [0]=> + &object(obj)#%d (1) { + ["data"]=> + NULL + } + [1]=> + object(obj)#%d (1) { + ["data"]=> + NULL + } +} +object(obj)#1 (1) { + ["data"]=> + NULL +}
\ No newline at end of file |