diff options
Diffstat (limited to 'bug72562.patch')
| -rw-r--r-- | bug72562.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/bug72562.patch b/bug72562.patch new file mode 100644 index 0000000..cbed3d6 --- /dev/null +++ b/bug72562.patch @@ -0,0 +1,73 @@ +From 3798eb6fd5dddb211b01d41495072fd9858d4e32 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 12 Jul 2016 23:27:45 -0700 +Subject: [PATCH] Fix bug #72562 - destroy var_hash properly + +--- + ext/session/session.c | 3 ++- + ext/session/tests/bug72562.phpt | 44 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + create mode 100644 ext/session/tests/bug72562.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index f5439ea..cb6cc01 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -837,6 +837,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ + namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); + + if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { ++ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + return FAILURE; + } + +diff --git a/ext/session/tests/bug72562.phpt b/ext/session/tests/bug72562.phpt +new file mode 100644 +index 0000000..d85e48b +--- /dev/null ++++ b/ext/session/tests/bug72562.phpt +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization ++--SKIPIF-- ++<?php include('skipif.inc'); ?> ++--FILE-- ++<?php ++ ++ini_set('session.serialize_handler', 'php_binary'); ++session_start(); ++$sess = "\x1xi:1;\x2y"; ++session_decode($sess); ++$uns_1 = '{'; ++$out_1[] = unserialize($uns_1); ++unset($out_1); ++$fakezval = ptr2str(1122334455); ++$fakezval .= ptr2str(0); ++$fakezval .= "\x00\x00\x00\x00"; ++$fakezval .= "\x01"; ++$fakezval .= "\x00"; ++$fakezval .= "\x00\x00"; ++for ($i = 0; $i < 5; $i++) { ++ $v[$i] = $fakezval.$i; ++} ++$uns_2 = 'R:2;'; ++$out_2 = unserialize($uns_2); ++var_dump($out_2); ++ ++function ptr2str($ptr) ++{ ++ $out = ''; ++ for ($i = 0; $i < 8; $i++) { ++ $out .= chr($ptr & 0xff); ++ $ptr >>= 8; ++ } ++ return $out; ++} ++?> ++--EXPECTF-- ++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/bug72562.php on line %d ++ ++Notice: unserialize(): Error at offset 0 of 1 bytes in %s/bug72562.php on line %d ++ ++Notice: unserialize(): Error at offset 4 of 4 bytes in %s/bug72562.php on line %d ++bool(false) |