Skip to content

Fix GH-20101: SplHeap/SplPriorityQueue serialization exposes INDIRECTs #20102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix GH-20101: SplHeap/SplPriorityQueue serialization exposes INDIRECTs #20102

wants to merge 1 commit into from
+60 −28

Conversation

nielsdos
Copy link
Member

@nielsdos nielsdos commented Oct 8, 2025

Exposing INDIRECTs to userland is not allowed and can lead to all sorts of wrong behaviour. In this case it lead to UAF bugs. Solve it by duplicating the properties table, which de-indirects the elements and also decouples it for future modifications.

@nielsdos nielsdos linked an issue Oct 8, 2025 that may be closed by this pull request
SplHeap/SplPriorityQueue serialization exposes INDIRECTs #20101
Closed
nielsdos added a commit to nielsdos/php-src that referenced this pull request Oct 8, 2025
@nielsdos
Fix Randomizer::__serialize() wrt INDIRECTs
b516ad0 
First follow-up to phpGH-20102.
INDIRECTs must never get exposed to userland. The simple solution is to
duplicate the properties array.
@nielsdos nielsdos mentioned this pull request Oct 8, 2025
Closed
@nielsdos
Copy link
Member Author

nielsdos commented Oct 8, 2025
edited
Loading

I'll have another look after work. It seems that some tests need fixes and/or the implementation-alias wasn't fully right.
EDIT: oh it's probably the true/false difference I didn't see first. I'll fix it after work.

See also ext/spl/tests/SplHeap_serialize_indexed_format.phpt that asserted the buggy behaviour btw.

Girgias
Girgias approved these changes Oct 8, 2025
View reviewed changes
Copy link
Member

@Girgias Girgias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only into 8.5?

@nielsdos
Fix phpGH-20101: SplHeap/SplPriorityQueue serialization exposes INDIR…
04a5516 
…ECTs

Exposing INDIRECTs to userland is not allowed and can lead to all sorts
of wrong behaviour. In this case it lead to UAF bugs.
Solve it by duplicating the properties table, which de-indirects the
elements and also decouples it for future modifications.
@nielsdos
Copy link
Member Author

nielsdos commented Oct 8, 2025

Only into 8.5?

Yes, because this was only introduced in #19447 which targeted 8.5.

nielsdos added a commit that referenced this pull request Oct 8, 2025
@nielsdos
Fix Randomizer::__serialize() wrt INDIRECTs
c5fa769 
First follow-up to GH-20102.
INDIRECTs must never get exposed to userland. The simple solution is to
duplicate the properties array.

Closes GH-20103.
@nielsdos nielsdos closed this in 0458b3c Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Girgias Girgias Girgias approved these changes

@kocsismate kocsismate Awaiting requested review from kocsismate

Assignees
No one assigned
Labels
Extension: spl
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SplHeap/SplPriorityQueue serialization exposes INDIRECTs
2 participants
@nielsdos @Girgias