Fixed bug #74103 and bug #75054

Directly fail unserialization when trying to acquire an r/R reference to an UNDEF HT slot. Previously this left an UNDEF and later deleted the index/key from the HT. What actually caused the issue here is a combination of two factors: First, the key deletion was performed using the hash API, rather than the symtable API, such that the element was not actually removed if it used an integral string key. Second, a subsequent deletion operation, while collecting trailing UNDEF ranges, would mark the element as available for reuse (leaving a corrupted HT state with nNumOfElemnts > nNumUsed). Fix this by failing early and dropping the deletion code.
php · Aug 12, 2017 · 1a23ebc · 1a23ebc
1 parent b59718b
commit 1a23ebc
Show file tree

Hide file tree

Showing 5 changed files with 614 additions and 585 deletions.
diff --git a/NEWS b/NEWS
@@ -52,6 +52,12 @@ PHP                                                                        NEWS
   . Fixed bug #74669 (Unserialize ArrayIterator broken). (Andrew Nester)
   . Fixed bug #75015 (Crash in recursive iterator destructors). (Julien)
 
+- Standard:
+  . Fixed bug #74103 (heap-use-after-free when unserializing invalid array
+    size). (Nikita)
+  . Fixed bug #75054 (A Denial of Service Vulnerability was found when
+    performing deserialization). (Nikita)
+
 - XMLRPC:
   . Fixed bug #74975 (Incorrect xmlrpc serialization for classes with declared
     properties). (blar)

diff --git a/ext/standard/tests/serialize/bug74103.phpt b/ext/standard/tests/serialize/bug74103.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #74103: heap-use-after-free when unserializing invalid array size
+--FILE--
+<?php
+var_dump(unserialize('a:7:{i:0;i:04;s:1:"a";i:2;i:00009617006;i:4;s:1:"a";i:4;s:1:"a";R:5;s:1:"7";R:3;s:1:"a";R:5;;s:18;}}'));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 68 of 100 bytes in %s on line %d
+bool(false)
diff --git a/ext/standard/tests/serialize/bug75054.phpt b/ext/standard/tests/serialize/bug75054.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #75054: A Denial of Service Vulnerability was found when performing deserialization
+--FILE--
+<?php
+$poc = 'a:9:{i:0;s:4:"0000";i:0;s:4:"0000";i:0;R:2;s:4:"5003";R:2;s:4:"0000";R:2;s:4:"0000";R:2;s:4:"';
+$poc .= "\x06";
+$poc .= '000";R:2;s:4:"0000";d:0;s:4:"0000";a:9:{s:4:"0000";';
+var_dump(unserialize($poc));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 43 of 145 bytes in %s on line %d
+bool(false)