From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 17 Mar 2015 13:20:22 -0700 Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in unserialize() --- NEWS | 3 +- ext/standard/var_unserializer.c | 63 ++++++++++++++++++++-------------------- ext/standard/var_unserializer.re | 1 + 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index f114080..ee0cac4 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -315,6 +315,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } + var_push_dtor(var_hash, &data); zval_dtor(key); FREE_ZVAL(key); diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index f04fc74..abac77c 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -321,6 +321,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof data, NULL); } + var_push_dtor(var_hash, &data); zval_dtor(key); FREE_ZVAL(key); -- 2.1.4 From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 17 Mar 2015 17:03:46 -0700 Subject: [PATCH] add test for bug #68976 --- ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 ext/standard/tests/serialize/bug68976.phpt diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt new file mode 100644 index 0000000..a79a953 --- /dev/null +++ b/ext/standard/tests/serialize/bug68976.phpt @@ -0,0 +1,37 @@ +--TEST-- +Bug #68976 Use After Free Vulnerability in unserialize() +--FILE-- +name); + } +} + +$fakezval = pack( + 'IIII', + 0x00100000, + 0x00000400, + 0x00000000, + 0x00000006 +); + +$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); + +for($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +array(2) { + [0]=> + object(evilClass)#1 (0) { + } + [1]=> + int(1) +} +===DONE=== -- 2.1.4