diff options
| author | Nikita Popov <nikic@php.net> | 2017-01-16 13:24:13 +0100 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2017-01-16 13:24:13 +0100 |
| commit | 6477bb724e0c4e95dfc8f315cac4b7e7a692b0f8 (patch) | |
| tree | e1e18e0504e1fa8426b91630da9d8369b4e358d0 | |
| parent | 50b38322b96416b0a5609591a52178f6100768da (diff) | |
| download | php-git-6477bb724e0c4e95dfc8f315cac4b7e7a692b0f8.tar.gz | |
Add additional serialize tests for fixed bugs
These have been fixed as a side-effect of the delayed __wakeup
patch.
| -rw-r--r-- | ext/standard/tests/serialize/bug69425.phpt | 63 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug70513.phpt | 39 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug72731.phpt | 18 |
3 files changed, 120 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug69425.phpt b/ext/standard/tests/serialize/bug69425.phpt new file mode 100644 index 0000000000..bfa8b9b369 --- /dev/null +++ b/ext/standard/tests/serialize/bug69425.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #69425: Use After Free in unserialize() +--FILE-- +<?php + +// POC 1 +class test +{ + var $ryat; + + function __wakeup() + { + $this->ryat = 1; + } +} + +$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}'); +var_dump($data); + +// POC 2 +$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}'); +var_dump($data); + +?> +--EXPECT-- +int(1) +array(2) { + [0]=> + object(DateInterval)#1 (15) { + ["y"]=> + int(-1) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["days"]=> + int(-1) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) + } + [1]=> + int(2) +} diff --git a/ext/standard/tests/serialize/bug70513.phpt b/ext/standard/tests/serialize/bug70513.phpt new file mode 100644 index 0000000000..2ac4ef6626 --- /dev/null +++ b/ext/standard/tests/serialize/bug70513.phpt @@ -0,0 +1,39 @@ +--TEST-- +Bug #70513: GMP Deserialization Type Confusion Vulnerability +--SKIPIF-- +<?php if (!extension_loaded('gmp')) die('skip requires gmp'); +--FILE-- +<?php + +class obj +{ + var $ryat; + + function __wakeup() + { + $this->ryat = 1; + } +} + +$obj = new stdClass; +$obj->aa = 1; +$obj->bb = 2; + +$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}'; +$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}'; +$x = unserialize($exploit); +var_dump($x); +var_dump($obj); + +?> +--EXPECT-- +array(1) { + [0]=> + int(1) +} +object(stdClass)#1 (2) { + ["aa"]=> + int(1) + ["bb"]=> + int(2) +} diff --git a/ext/standard/tests/serialize/bug72731.phpt b/ext/standard/tests/serialize/bug72731.phpt new file mode 100644 index 0000000000..3d7d1e7af3 --- /dev/null +++ b/ext/standard/tests/serialize/bug72731.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #72731: Type Confusion in Object Deserialization +--FILE-- +<?php + +class obj { + var $ryat; + function __wakeup() { + $this->ryat = 0x1122334455; + } +} + +$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}'; +var_dump(unserialize($poc)); + +?> +--EXPECT-- +int(73588229205) |