From f6896e4395e89ceeacd8f8a940cbafeeee3ac4a3 Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:12:42 +0800 Subject: Fixed #66091 --- ext/date/php_date.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) (limited to 'ext/date/php_date.c') diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 4259bf0fcb..92e9480a43 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2398,11 +2398,7 @@ static void date_object_free_storage_period(void *object TSRMLS_DC) /* Advanced Interface */ PHPAPI zval *php_date_instantiate(zend_class_entry *pce, zval *object TSRMLS_DC) { - Z_TYPE_P(object) = IS_OBJECT; object_init_ex(object, pce); - Z_SET_REFCOUNT_P(object, 1); - Z_UNSET_ISREF_P(object); - return object; } @@ -2510,14 +2506,19 @@ PHP_FUNCTION(date_create) zval *timezone_object = NULL; char *time_str = NULL; int time_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_date, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_date, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2530,14 +2531,19 @@ PHP_FUNCTION(date_create_from_format) zval *timezone_object = NULL; char *time_str = NULL, *format_str = NULL; int time_str_len = 0, format_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|O", &format_str, &format_str_len, &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_date, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_date, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2560,7 +2566,7 @@ PHP_METHOD(DateTime, __construct) } /* }}} */ -static int php_date_initialize_from_hash(zval **return_value, php_date_obj **dateobj, HashTable *myht TSRMLS_DC) +static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht TSRMLS_DC) { zval **z_date = NULL; zval **z_timezone = NULL; @@ -2630,7 +2636,7 @@ PHP_METHOD(DateTime, __set_state) php_date_instantiate(date_ce_date, return_value TSRMLS_CC); dateobj = (php_date_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTime object"); } } @@ -2648,7 +2654,7 @@ PHP_METHOD(DateTime, __wakeup) myht = Z_OBJPROP_P(object); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTime object"); } } -- cgit v1.2.1 From 7b1898183032eeabc64a086ff040af991cebcd93 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 31 Jan 2015 22:40:08 -0800 Subject: Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone) Conflicts: ext/date/php_date.c --- ext/date/php_date.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'ext/date/php_date.c') diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 92e9480a43..08bfd0899b 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2575,12 +2575,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht timelib_tzinfo *tzi; php_timezone_obj *tzobj; - if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { - convert_to_string(*z_date); - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { - convert_to_long(*z_timezone_type); - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_string(*z_timezone); + if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { + if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { switch (Z_LVAL_PP(z_timezone_type)) { case TIMELIB_ZONETYPE_OFFSET: @@ -2595,7 +2592,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht case TIMELIB_ZONETYPE_ID: { int ret; - convert_to_string(*z_timezone); tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); -- cgit v1.2.1