Skip to content
Permalink
Browse files Browse the repository at this point in the history
Complete the fix of bug #70172 for PHP 7
  • Loading branch information
nikic committed Nov 5, 2016
1 parent 3d73f71 commit b2af4e8
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 9 deletions.
6 changes: 2 additions & 4 deletions ext/standard/tests/serialize/bug70172_2.phpt
@@ -1,7 +1,5 @@
--TEST--
Bug #70172 - Use After Free Vulnerability in unserialize()
--XFAIL--
Unfinished merge, needs fix.
--FILE--
<?php
class obj implements Serializable {
Expand Down Expand Up @@ -61,10 +59,10 @@ array(2) {
[0]=>
array(1) {
[0]=>
&object(obj2)#%d (1) {
object(obj2)#%d (1) {
["ryat"]=>
int(1)
}
}
}
}
}
10 changes: 5 additions & 5 deletions ext/standard/var.c
Expand Up @@ -1036,6 +1036,7 @@ PHP_FUNCTION(unserialize)
const unsigned char *p;
php_unserialize_data_t var_hash;
zval *options = NULL, *classes = NULL;
zval *retval;
HashTable *class_hash = NULL;

if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|a", &buf, &buf_len, &options) == FAILURE) {
Expand Down Expand Up @@ -1067,22 +1068,21 @@ PHP_FUNCTION(unserialize)
}
}

if (!php_var_unserialize_ex(return_value, &p, p + buf_len, &var_hash, class_hash)) {
retval = var_tmp_var(&var_hash);
if (!php_var_unserialize_ex(retval, &p, p + buf_len, &var_hash, class_hash)) {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
if (class_hash) {
zend_hash_destroy(class_hash);
FREE_HASHTABLE(class_hash);
}
zval_ptr_dtor(return_value);
if (!EG(exception)) {
php_error_docref(NULL, E_NOTICE, "Error at offset " ZEND_LONG_FMT " of %zd bytes",
(zend_long)((char*)p - buf), buf_len);
}
RETURN_FALSE;
}
/* We should keep an reference to return_value to prevent it from being dtor
in case nesting calls to unserialize */
var_push_dtor(&var_hash, return_value);

ZVAL_COPY(return_value, retval);

PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
if (class_hash) {
Expand Down

0 comments on commit b2af4e8

Please sign in to comment.