From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Sat, 1 Aug 2015 21:45:19 -0700

Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in

 unserialize() with SPLArrayObject

---

 ext/spl/spl_array.c         |  3 +++

 ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++

 2 files changed, 32 insertions(+)

 create mode 100644 ext/spl/tests/bug70166.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c

index a37eced..86608c0 100644

--- a/ext/spl/spl_array.c

+++ b/ext/spl/spl_array.c

@@ -1773,6 +1773,7 @@ SPL_METHOD(Array, unserialize)

 		goto outexcept;

 	}

+	var_push_dtor(&var_hash, &pflags);

 	--p; /* for ';' */

 	flags = Z_LVAL_P(pflags);

 	/* flags needs to be verified and we also need to verify whether the next

@@ -1796,6 +1797,7 @@ SPL_METHOD(Array, unserialize)

 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {

 			goto outexcept;

 		}

+		var_push_dtor(&var_hash, &intern->array);

 	}

 	if (*p != ';') {

 		goto outexcept;

@@ -1814,6 +1816,7 @@ SPL_METHOD(Array, unserialize)

 		goto outexcept;

 	}

+	var_push_dtor(&var_hash, &pmembers);

 	/* copy members */

 	if (!intern->std.properties) {

 		rebuild_object_properties(&intern->std);

diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt

new file mode 100644

index 0000000..51a3596

--- /dev/null

+++ b/ext/spl/tests/bug70166.phpt

@@ -0,0 +1,29 @@

+--TEST--

+SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject

+--FILE--

+

+$inner = 'x:i:1;a:0:{};m:a:0:{}';

+$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';

+

+$data = unserialize($exploit);

+

+for($i = 0; $i < 5; $i++) {

+    $v[$i] = 'hi'.$i;

+}

+

+var_dump($data);

+?>

+===DONE===

+--EXPECTF--

+array(2) {

+  [0]=>

+  object(ArrayObject)#%d (1) {

+    ["storage":"ArrayObject":private]=>

+    array(0) {

+    }

+  }

+  [1]=>

+  array(0) {

+  }

+}

+===DONE===

-- 

2.1.4

From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Sat, 1 Aug 2015 21:12:38 -0700

Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in

 unserialize() with SplObjectStorage

---

 ext/spl/spl_observer.c      | 68 +++++++++++++++++++++++----------------------

 ext/spl/tests/bug70168.phpt | 19 +++++++++++++

 2 files changed, 54 insertions(+), 33 deletions(-)

 create mode 100644 ext/spl/tests/bug70168.phpt

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c

index da9110b..5d94a3b 100644

--- a/ext/spl/spl_observer.c

+++ b/ext/spl/spl_observer.c

@@ -848,6 +848,7 @@ SPL_METHOD(SplObjectStorage, unserialize

 		goto outexcept;

 	}

+	var_push_dtor(&var_hash, &pcount);

 	--p; /* for ';' */

 	count = Z_LVAL_P(pcount);

@@ -919,6 +920,7 @@ SPL_METHOD(SplObjectStorage, unserialize

 		goto outexcept;

 	}

+	var_push_dtor(&var_hash, &pmembers);

 	/* copy members */

 	if (!intern->std.properties) {

 		rebuild_object_properties(&intern->std);

diff --git a/ext/spl/tests/bug70168.phpt b/ext/spl/tests/bug70168.phpt

new file mode 100644

index 0000000..192f0f3

--- /dev/null

+++ b/ext/spl/tests/bug70168.phpt

@@ -0,0 +1,19 @@

+--TEST--

+SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage

+--FILE--

+

+$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}';

+$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';

+

+$data = unserialize($exploit);

+

+for($i = 0; $i < 5; $i++) {

+    $v[$i] = 'hi'.$i;

+}

+

+var_dump($data[1]);

+?>

+===DONE===

+--EXPECT--

+int(1)

+===DONE===

-- 

2.1.4

From 863bf294feb9ad425eadb94f288bc7f18673089d Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Sat, 1 Aug 2015 21:51:08 -0700

Subject: [PATCH] Fixed bug #70169 (Use After Free Vulnerability in

 unserialize() with SplDoublyLinkedList)

---

 ext/spl/spl_dllist.c        | 25 +++++++++++++------------

 ext/spl/tests/bug70169.phpt | 30 ++++++++++++++++++++++++++++++

 2 files changed, 43 insertions(+), 12 deletions(-)

 create mode 100644 ext/spl/tests/bug70169.phpt

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c

index b5ddfc0..011d7a6 100644

--- a/ext/spl/spl_dllist.c

+++ b/ext/spl/spl_dllist.c

@@ -1207,6 +1207,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)

 		zval_ptr_dtor(&flags);

 		goto error;

 	}

+	var_push_dtor(&var_hash, &flags);

 	intern->flags = Z_LVAL_P(flags);

 	zval_ptr_dtor(&flags);

diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt

new file mode 100644

index 0000000..9d814be

--- /dev/null

+++ b/ext/spl/tests/bug70169.phpt

@@ -0,0 +1,30 @@

+--TEST--

+SPL: Bug #70169	Use After Free Vulnerability in unserialize() with SplDoublyLinkedList

+--FILE--

+

+$inner = 'i:1;';

+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';

+

+$data = unserialize($exploit);

+

+for($i = 0; $i < 5; $i++) {

+    $v[$i] = 'hi'.$i;

+}

+

+var_dump($data);

+?>

+===DONE===

+--EXPECTF--

+array(2) {

+  [0]=>

+  object(SplDoublyLinkedList)#%d (2) {

+    ["flags":"SplDoublyLinkedList":private]=>

+    int(1)

+    ["dllist":"SplDoublyLinkedList":private]=>

+    array(0) {

+    }

+  }

+  [1]=>

+  int(1)

+}

+===DONE===

-- 

2.1.4