diff options
author | Stanislav Malyshev <stas@php.net> | 2015-12-28 14:46:35 -0800 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-01-05 13:32:35 +0100 |
commit | 366f9505a4aae98ef2f4ca39a838f628a324b746 (patch) | |
tree | ea3057e30e34dd9a8b1f85545ba482ee92e9c88a | |
parent | 8285f90d1dd0d94920c3c0b7683e8844323b0eca (diff) | |
download | php-git-366f9505a4aae98ef2f4ca39a838f628a324b746.tar.gz |
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
Conflicts:
ext/wddx/wddx.c
-rw-r--r-- | ext/wddx/tests/bug70661.phpt | 69 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 2 |
2 files changed, 70 insertions, 1 deletions
diff --git a/ext/wddx/tests/bug70661.phpt b/ext/wddx/tests/bug70661.phpt new file mode 100644 index 0000000000..e068c20a7a --- /dev/null +++ b/ext/wddx/tests/bug70661.phpt @@ -0,0 +1,69 @@ +--TEST-- +Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization) +--SKIPIF-- +<?php +if (!extension_loaded("wddx")) print "skip"; +?> +--FILE-- +<?php +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$x = <<<EOT +<?xml version='1.0'?> +<wddxPacket version='1.0'> +<header/> + <data> + <struct> + <recordset rowCount='1' fieldNames='ryat'> + <field name='ryat'> + <var name='php_class_name'> + <string>stdClass</string> + </var> + <null/> + </field> + </recordset> + </struct> + </data> +</wddxPacket> +EOT; + +$y = wddx_deserialize($x); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($y); + +function ptr2str($ptr) +{ + $out = ''; + + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + + return $out; +} +?> +DONE +--EXPECTF-- +array(1) { + [0]=> + array(1) { + ["ryat"]=> + array(2) { + ["php_class_name"]=> + string(8) "stdClass" + [0]=> + NULL + } + } +} +DONE
\ No newline at end of file diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index d719be9d1e..f6efa60fbe 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -908,7 +908,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && - Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data)) { + Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) && ent2->type == ST_STRUCT) { zend_bool incomplete_class = 0; zend_str_tolower(Z_STRVAL(ent1->data), Z_STRLEN(ent1->data)); |