Blob Blame History Raw
From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 17 Mar 2015 13:20:22 -0700
Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in
 unserialize()

---
 NEWS                             |  3 +-
 ext/standard/var_unserializer.c  | 63 ++++++++++++++++++++--------------------
 ext/standard/var_unserializer.re |  1 +
 3 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index f114080..ee0cac4 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -346,6 +346,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
+		var_push_dtor(var_hash, &data);
 		
 		zval_dtor(key);
 		FREE_ZVAL(key);
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index f04fc74..abac77c 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -352,6 +352,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
+		var_push_dtor(var_hash, &data);
 		
 		zval_dtor(key);
 		FREE_ZVAL(key);
From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 17 Mar 2015 17:03:46 -0700
Subject: [PATCH] add test for bug #68976

---
 ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 ext/standard/tests/serialize/bug68976.phpt

diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt
new file mode 100644
index 0000000..a79a953
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68976.phpt
@@ -0,0 +1,37 @@
+--TEST--
+Bug #68976 Use After Free Vulnerability in unserialize()
+--FILE--
+<?php
+class evilClass {
+	public $name;
+	function __wakeup() {
+		unset($this->name);
+	}
+}
+
+$fakezval = pack(
+    'IIII',
+    0x00100000,
+    0x00000400,
+    0x00000000,
+    0x00000006 
+);
+
+$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
+
+for($i = 0; $i < 5; $i++) {
+    $v[$i] = $fakezval.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+  [0]=>
+  object(evilClass)#1 (0) {
+  }
+  [1]=>
+  int(1)
+}
+===DONE===