From e8429400d40e3c3aa4b22ba701991d698a2f3b2f Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 31 Aug 2015 21:28:11 -0700
Subject: Fix bug #70172 - Use After Free Vulnerability in unserialize()

---
 ext/standard/var.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to 'ext/standard/var.c')

diff --git a/ext/standard/var.c b/ext/standard/var.c
index 7603ff2ee0..33b976f42d 100644
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -373,7 +373,7 @@ static int php_array_element_export(zval **zv TSRMLS_DC, int num_args, va_list a
 
 	smart_str_appendc(buf, ',');
 	smart_str_appendc(buf, '\n');
-	
+
 	return 0;
 }
 /* }}} */
@@ -392,7 +392,7 @@ static int php_object_element_export(zval **zv TSRMLS_DC, int num_args, va_list
 		const char *pname;
 		char *pname_esc;
 		int  pname_esc_len;
-		
+
 		zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1,
 				&class_name, &pname);
 		pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0,
@@ -469,7 +469,7 @@ PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC)
 			buffer_append_spaces(buf, level - 1);
 		}
 		smart_str_appendc(buf, ')');
-    
+
 		break;
 
 	case IS_OBJECT:
@@ -802,7 +802,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var
 					BG(serialize_lock)++;
 					res = call_user_function_ex(CG(function_table), &struc, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC);
 					BG(serialize_lock)--;
-                    
+
 					if (EG(exception)) {
 						if (retval_ptr) {
 							zval_ptr_dtor(&retval_ptr);
@@ -951,6 +951,8 @@ PHP_FUNCTION(unserialize)
 	int buf_len;
 	const unsigned char *p;
 	php_unserialize_data_t var_hash;
+	int oldlevel;
+	zval *old_rval = return_value;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
 		RETURN_FALSE;
@@ -970,6 +972,19 @@ PHP_FUNCTION(unserialize)
 		}
 		RETURN_FALSE;
 	}
+	if (return_value != old_rval) {
+		/*
+		 * Terrible hack due to the fact that executor passes us zval *,
+		 * but unserialize with r/R wants to replace it with another zval *
+		 */
+		zval_dtor(old_rval);
+		*old_rval = *return_value;
+		zval_copy_ctor(old_rval);
+		var_push_dtor_no_addref(&var_hash, &return_value);
+		var_push_dtor_no_addref(&var_hash, &old_rval);
+	} else {
+		var_push_dtor(&var_hash, &return_value);
+	}
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 }
 /* }}} */
-- 
cgit v1.2.1