Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject

author: Stanislav Malyshev <stas@php.net> 2015-08-01 21:45:19 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-08-01 22:01:40 -0700
commit: 7381b6accc5559b2de039af3a22f6ec1003b03b3 (patch)
tree: 3cb1369d20f970540c4160ef5a0f3bf906824adc /ext/spl/spl_array.c
parent: c7d3c027d5ce45c96c8450a7f074ab2dfbcaa0c4 (diff)
download: php-git-7381b6accc5559b2de039af3a22f6ec1003b03b3.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index a37eced002..86608c0d52 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1777,6 +1777,7 @@ SPL_METHOD(Array, unserialize)
 		goto outexcept;
 	}
 
+	var_push_dtor(&var_hash, &pflags);
 	--p; /* for ';' */
 	flags = Z_LVAL_P(pflags);
 	/* flags needs to be verified and we also need to verify whether the next
@@ -1800,6 +1801,7 @@ SPL_METHOD(Array, unserialize)
 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
 			goto outexcept;
 		}
+		var_push_dtor(&var_hash, &intern->array);
 	}
 	if (*p != ';') {
 		goto outexcept;
@@ -1818,6 +1820,7 @@ SPL_METHOD(Array, unserialize)
 		goto outexcept;
 	}
 
+	var_push_dtor(&var_hash, &pmembers);
 	/* copy members */
 	if (!intern->std.properties) {
 		rebuild_object_properties(&intern->std);
author	Stanislav Malyshev <stas@php.net>	2015-08-01 21:45:19 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-08-01 22:01:40 -0700
commit	7381b6accc5559b2de039af3a22f6ec1003b03b3 (patch)
tree	3cb1369d20f970540c4160ef5a0f3bf906824adc /ext/spl/spl_array.c
parent	c7d3c027d5ce45c96c8450a7f074ab2dfbcaa0c4 (diff)
download	php-git-7381b6accc5559b2de039af3a22f6ec1003b03b3.tar.gz