|
|
af9dc8 |
From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Xinchen Hui <laruence@php.net>
|
|
|
af9dc8 |
Date: Wed, 2 Jul 2014 17:57:42 +0800
|
|
|
af9dc8 |
Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
|
|
|
af9dc8 |
change during sorting)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
NEWS | 2 ++
|
|
|
af9dc8 |
ext/spl/spl_array.c | 7 +++++++
|
|
|
af9dc8 |
ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
|
|
|
af9dc8 |
3 files changed, 24 insertions(+)
|
|
|
af9dc8 |
create mode 100644 ext/spl/tests/bug67539.phpt
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
|
|
|
af9dc8 |
index 8392e72..0fe47b6 100644
|
|
|
af9dc8 |
--- a/ext/spl/spl_array.c
|
|
|
af9dc8 |
+++ b/ext/spl/spl_array.c
|
|
|
af9dc8 |
@@ -1738,6 +1738,7 @@ SPL_METHOD(Array, unserialize)
|
|
|
af9dc8 |
const unsigned char *p, *s;
|
|
|
af9dc8 |
php_unserialize_data_t var_hash;
|
|
|
af9dc8 |
zval *pmembers, *pflags = NULL;
|
|
|
af9dc8 |
+ HashTable *aht;
|
|
|
af9dc8 |
long flags;
|
|
|
af9dc8 |
|
|
|
af9dc8 |
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
|
|
|
af9dc8 |
@@ -1749,6 +1750,12 @@ SPL_METHOD(Array, unserialize)
|
|
|
af9dc8 |
return;
|
|
|
af9dc8 |
}
|
|
|
af9dc8 |
|
|
|
af9dc8 |
+ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
|
|
|
af9dc8 |
+ if (aht->nApplyCount > 0) {
|
|
|
af9dc8 |
+ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
|
|
|
af9dc8 |
+ return;
|
|
|
af9dc8 |
+ }
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
/* storage */
|
|
|
af9dc8 |
s = p = (const unsigned char*)buf;
|
|
|
af9dc8 |
PHP_VAR_UNSERIALIZE_INIT(var_hash);
|
|
|
af9dc8 |
diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
|
|
|
af9dc8 |
new file mode 100644
|
|
|
af9dc8 |
index 0000000..8bab2a8
|
|
|
af9dc8 |
--- /dev/null
|
|
|
af9dc8 |
+++ b/ext/spl/tests/bug67539.phpt
|
|
|
af9dc8 |
@@ -0,0 +1,15 @@
|
|
|
af9dc8 |
+--TEST--
|
|
|
af9dc8 |
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
|
|
|
af9dc8 |
+--FILE--
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+function badsort($a, $b) {
|
|
|
af9dc8 |
+ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
|
|
|
af9dc8 |
+ return TRUE;
|
|
|
af9dc8 |
+}
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$it->uksort('badsort');
|
|
|
af9dc8 |
+--EXPECTF--
|
|
|
af9dc8 |
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
1.9.2
|
|
|
af9dc8 |
|