diff options
author | Stanislav Malyshev <stas@php.net> | 2015-02-17 06:53:27 +0100 |
---|---|---|
committer | Ferenc Kovacs <tyrael@php.net> | 2015-02-18 20:35:56 +0100 |
commit | 71335e6ebabc1b12c057d8017fd811892ecdfd24 (patch) | |
tree | 6382d556c8624905689bb59d1de0c4cf3e5232a5 | |
parent | 09c5ab45a41cdd8ee64a6a5a93d6992c9e0a278e (diff) | |
download | php-git-71335e6ebabc1b12c057d8017fd811892ecdfd24.tar.gz |
Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
-rw-r--r-- | ext/date/php_date.c | 21 | ||||
-rw-r--r-- | ext/date/tests/bug68942.phpt | 9 | ||||
-rw-r--r-- | ext/date/tests/bug68942_2.phpt | 9 |
3 files changed, 28 insertions, 11 deletions
diff --git a/ext/date/php_date.c b/ext/date/php_date.c index f8571b91b5..15ca08d3a9 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht timelib_tzinfo *tzi; php_timezone_obj *tzobj; - if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { - convert_to_string(*z_date); - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { - convert_to_long(*z_timezone_type); - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_string(*z_timezone); + if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { + if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { switch (Z_LVAL_PP(z_timezone_type)) { case TIMELIB_ZONETYPE_OFFSET: @@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht case TIMELIB_ZONETYPE_ID: { int ret; - convert_to_string(*z_timezone); tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); @@ -3744,9 +3740,8 @@ static int php_date_timezone_initialize_from_hash(zval **return_value, php_timez zval **z_timezone = NULL; zval **z_timezone_type = NULL; - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_long(*z_timezone_type); if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { return SUCCESS; } @@ -3771,7 +3766,9 @@ PHP_METHOD(DateTimeZone, __set_state) php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC); tzobj = (php_timezone_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC); + if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { + php_error_docref(NULL, E_ERROR, "Timezone initialization failed"); + } } /* }}} */ @@ -3787,7 +3784,9 @@ PHP_METHOD(DateTimeZone, __wakeup) myht = Z_OBJPROP_P(object); - php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC); + if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { + php_error_docref(NULL, E_ERROR, "Timezone initialization failed"); + } } /* }}} */ diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt new file mode 100644 index 0000000000..595cd9fa92 --- /dev/null +++ b/ext/date/tests/bug68942.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). +--FILE-- +<?php +$data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}'); +var_dump($data); +?> +--EXPECTF-- +Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt new file mode 100644 index 0000000000..5b02567008 --- /dev/null +++ b/ext/date/tests/bug68942_2.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #68942 (Use after free vulnerability in unserialize() with DateTime). +--FILE-- +<?php +$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}'); +var_dump($data); +?> +--EXPECTF-- +Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d |