diff options
Diffstat (limited to 'bug73144.patch')
-rw-r--r-- | bug73144.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/bug73144.patch b/bug73144.patch new file mode 100644 index 0000000..bfe8c3e --- /dev/null +++ b/bug73144.patch @@ -0,0 +1,58 @@ +Backported from 5.6.28 by Remi. + + +From b433034febb099835a61943986522eb246115910 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 23 Oct 2016 21:56:35 -0700 +Subject: [PATCH] Fix bug #73144 and bug #73341 - remove extra dtor + +--- + ext/spl/spl_array.c | 2 +- + ext/standard/tests/serialize/bug73341.phpt | 24 ++++++++++++++++++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/serialize/bug73341.phpt + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 700d609..e7cbd1f 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -1798,7 +1798,7 @@ SPL_METHOD(Array, unserialize) + ALLOC_INIT_ZVAL(intern->array); + if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) + || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { +- zval_ptr_dtor(&intern->array); ++ // zval_ptr_dtor(&intern->array); + goto outexcept; + } + var_push_dtor(&var_hash, &intern->array); +diff --git a/ext/standard/tests/serialize/bug73341.phpt b/ext/standard/tests/serialize/bug73341.phpt +new file mode 100644 +index 0000000..5542321 +--- /dev/null ++++ b/ext/standard/tests/serialize/bug73341.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #73144 (Use-afte-free in ArrayObject Deserialization) ++--FILE-- ++<?php ++try { ++$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0'; ++$obj = unserialize($token); ++} catch(Exception $e) { ++ echo $e->getMessage()."\n"; ++} ++ ++try { ++$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}'; ++$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; ++unserialize($exploit); ++} catch(Exception $e) { ++ echo $e->getMessage()."\n"; ++} ++?> ++--EXPECTF-- ++Error at offset 6 of 7 bytes ++ ++Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d ++Error at offset 24 of 34 bytes +\ No newline at end of file |