Skip to content

Commit

Permalink
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with …
Browse files Browse the repository at this point in the history 
…SplDoublyLinkedList)
  • Loading branch information
@smalyshev
smalyshev committed Aug 2, 2015
1 parent 7381b6a commit 863bf29
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 12 deletions.
25 changes: 13 additions & 12 deletions ext/spl/spl_dllist.c
View file
Expand Up @@ -500,7 +500,7 @@ static int spl_dllist_object_count_elements(zval *object, long *count TSRMLS_DC)

*count = spl_ptr_llist_count(intern->llist);
return SUCCESS;
}
}
/* }}} */

static HashTable* spl_dllist_object_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /* {{{{ */
Expand Down Expand Up @@ -571,7 +571,7 @@ SPL_METHOD(SplDoublyLinkedList, push)
spl_ptr_llist_push(intern->llist, value TSRMLS_CC);

RETURN_TRUE;
}
}
/* }}} */

/* {{{ proto bool SplDoublyLinkedList::unshift(mixed $value) U
Expand Down Expand Up @@ -614,7 +614,7 @@ SPL_METHOD(SplDoublyLinkedList, pop)
}

RETURN_ZVAL(value, 1, 1);
}
}
/* }}} */

/* {{{ proto mixed SplDoublyLinkedList::shift() U
Expand All @@ -637,7 +637,7 @@ SPL_METHOD(SplDoublyLinkedList, shift)
}

RETURN_ZVAL(value, 1, 1);
}
}
/* }}} */

/* {{{ proto mixed SplDoublyLinkedList::top() U
Expand Down Expand Up @@ -1051,7 +1051,7 @@ static void spl_dllist_it_move_forward(zend_object_iterator *iter TSRMLS_DC) /*
SPL_METHOD(SplDoublyLinkedList, key)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);

if (zend_parse_parameters_none() == FAILURE) {
return;
}
Expand All @@ -1065,7 +1065,7 @@ SPL_METHOD(SplDoublyLinkedList, key)
SPL_METHOD(SplDoublyLinkedList, prev)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);

if (zend_parse_parameters_none() == FAILURE) {
return;
}
Expand All @@ -1079,7 +1079,7 @@ SPL_METHOD(SplDoublyLinkedList, prev)
SPL_METHOD(SplDoublyLinkedList, next)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);

if (zend_parse_parameters_none() == FAILURE) {
return;
}
Expand All @@ -1093,7 +1093,7 @@ SPL_METHOD(SplDoublyLinkedList, next)
SPL_METHOD(SplDoublyLinkedList, valid)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);

if (zend_parse_parameters_none() == FAILURE) {
return;
}
Expand All @@ -1107,7 +1107,7 @@ SPL_METHOD(SplDoublyLinkedList, valid)
SPL_METHOD(SplDoublyLinkedList, rewind)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);

if (zend_parse_parameters_none() == FAILURE) {
return;
}
Expand All @@ -1122,7 +1122,7 @@ SPL_METHOD(SplDoublyLinkedList, current)
{
spl_dllist_object *intern = (spl_dllist_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
spl_ptr_llist_element *element = intern->traverse_pointer;

if (zend_parse_parameters_none() == FAILURE) {
return;
}
Expand Down Expand Up @@ -1177,7 +1177,7 @@ SPL_METHOD(SplDoublyLinkedList, serialize)
} else {
RETURN_NULL();
}

} /* }}} */

/* {{{ proto void SplDoublyLinkedList::unserialize(string serialized)
Expand All @@ -1190,7 +1190,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
int buf_len;
const unsigned char *p, *s;
php_unserialize_data_t var_hash;

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
return;
}
Expand All @@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&flags);
goto error;
}
var_push_dtor(&var_hash, &flags);
intern->flags = Z_LVAL_P(flags);
zval_ptr_dtor(&flags);

Expand Down
30 changes: 30 additions & 0 deletions ext/spl/tests/bug70169.phpt
View file
@@ -0,0 +1,30 @@
--TEST--
SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
--FILE--
<?php
$inner = 'i:1;';
$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';

$data = unserialize($exploit);

for($i = 0; $i < 5; $i++) {
$v[$i] = 'hi'.$i;
}

var_dump($data);
?>
===DONE===
--EXPECTF--
array(2) {
[0]=>
object(SplDoublyLinkedList)#%d (2) {
["flags":"SplDoublyLinkedList":private]=>
int(1)
["dllist":"SplDoublyLinkedList":private]=>
array(0) {
}
}
[1]=>
int(1)
}
===DONE===

0 comments on commit 863bf29

Please sign in to comment.