Skip to content
Permalink
Browse files

Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())

  • Loading branch information...
smalyshev committed Jan 2, 2015
1 parent f9ad308 commit b585a3aed7880a5fa5c18e2b838fc96f40e075bd
Showing with 32 additions and 3 deletions.
  1. +4 −0 NEWS
  2. +25 −0 ext/standard/tests/strings/bug68710.phpt
  3. +2 −2 ext/standard/var_unserializer.c
  4. +1 −1 ext/standard/var_unserializer.re
4 NEWS
@@ -1,6 +1,10 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 20?? PHP 5.4.37
- Core:
. Fix bug #68710 (Use after free vulnerability in unserialize(), incomplete
fix for #68594). (Stefan Esser)

- CGI:
. Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)

@@ -0,0 +1,25 @@
--TEST--
Bug #68710 Use after free vulnerability in unserialize() (bypassing the
CVE-2014-8142 fix)
--FILE--
<?php
for ($i=4; $i<100; $i++) {
$m = new StdClass();
$u = array(1);
$m->aaa = array(1,2,&$u,4,5);
$m->bbb = 1;
$m->ccc = &$u;
$m->ddd = str_repeat("A", $i);
$z = serialize($m);
$z = str_replace("aaa", "123", $z);
$z = str_replace("bbb", "123", $z);
$y = unserialize($z);
$z = serialize($y);
}
?>
===DONE===
--EXPECTF--
===DONE===
@@ -1,4 +1,4 @@
/* Generated by re2c 0.13.7.5 on Thu Dec 11 19:26:19 2014 */
/* Generated by re2c 0.13.7.5 on Thu Jan 1 14:43:18 2015 */
#line 1 "ext/standard/var_unserializer.re"
/*
+----------------------------------------------------------------------+
@@ -343,7 +343,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
var_push_dtor(var_hash, old_data);
}
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
@@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
var_push_dtor(var_hash, old_data);
}
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,

0 comments on commit b585a3a

Please sign in to comment.
You can’t perform that action at this time.