Fix bug #70436: Use After Free Vulnerability in unserialize()

(cherry picked from commit 95d09e4)
Signed-off-by: Lior Kaplan <kaplanlior@gmail.com>

ext/standard/tests/strings/bug70436.phpt

@@ -0,0 +1,65 @@
+--TEST--
+Bug #70436: Use After Free Vulnerability in unserialize()
+--FILE--
+<?php
+
+class obj implements Serializable
+{
+	var $data;
+
+	function serialize()
+	{
+		return serialize($this->data);
+	}
+
+	function unserialize($data)
+	{
+		$this->data = unserialize($data);
+	}
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'C:3:"obj":3:{ryat';
+$exploit = 'a:4:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:2;s:'.strlen($fakezval).':"'.$fakezval.'";i:3;R:5;}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+	$out = '';
+
+	for ($i = 0; $i < 8; $i++) {
+		$out .= chr($ptr & 0xff);
+		$ptr >>= 8;
+	}
+
+	return $out;
+}
+?>
+DONE
+--EXPECTF--
+Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d
+
+Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d
+array(4) {
+  [0]=>
+  int(1)
+  [1]=>
+  object(obj)#%d (1) {
+    ["data"]=>
+    bool(false)
+  }
+  [2]=>
+  string(24) "%s"
+  [3]=>
+  bool(false)
+}
+DONE

ext/standard/var.c

@@ -965,6 +965,7 @@ PHP_FUNCTION(unserialize)
 	p = (const unsigned char*) buf;
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 	if (!php_var_unserialize(&return_value, &p, p + buf_len, &var_hash TSRMLS_CC)) {
+		var_push_dtor(&var_hash, &return_value);
 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 		zval_dtor(return_value);
 		if (!EG(exception)) {