/72479.diff Secret

## 72479.diff
commit cab1c3b3708eead315e033359d07049b23b147a3
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Jun 26 17:52:09 2016 -0700

    Fixed bug #72479 - same as #72434

diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
index 6c1da4c..e1161c7 100644
--- a/ext/snmp/snmp.c
+++ b/ext/snmp/snmp.c
@@ -2095,6 +2095,14 @@ static int php_snmp_has_property(zval *object, zval *member, int has_set_exists,
 }
 /* }}} */

+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+	*gc_data = NULL;
+	*gc_data_count = 0;
+	return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */
+
 /* {{{ php_snmp_get_properties(zval *object)
    Returns all object properties. Injects SNMP properties into object on first call */
 static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC)
@@ -2401,6 +2409,7 @@ PHP_MINIT_FUNCTION(snmp)
 	php_snmp_object_handlers.write_property = php_snmp_write_property;
 	php_snmp_object_handlers.has_property = php_snmp_has_property;
 	php_snmp_object_handlers.get_properties = php_snmp_get_properties;
+	php_snmp_object_handlers.get_gc = php_snmp_get_gc;

 	/* Register SNMP Class */
 	INIT_CLASS_ENTRY(ce, "SNMP", php_snmp_class_methods);
diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt
new file mode 100644
index 0000000..0308754
--- /dev/null
+++ b/ext/snmp/tests/bug72479.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
+--SKIPIF--
+<?php
+require_once(dirname(__FILE__).'/skipif.inc');
+?>
+--FILE--
+<?php
+$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
+$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
+$out = unserialize($poc);
+gc_collect_cycles();
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+for ($i = 0; $i < 5; $i++) {
+    $v[$i] = $fakezval.$i;
+}
+var_dump($out[1]);
+
+function ptr2str($ptr)
+{
+    $out = '';
+    for ($i = 0; $i < 8; $i++) {
+        $out .= chr($ptr & 0xff);
+        $ptr >>= 8;
+    }
+    return $out;
+}
+?>
+--EXPECT--
+int(1)
\ No newline at end of file
	commit cab1c3b3708eead315e033359d07049b23b147a3
	Author: Stanislav Malyshev <stas@php.net>
	Date: Sun Jun 26 17:52:09 2016 -0700

	Fixed bug #72479 - same as #72434

	diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
	index 6c1da4c..e1161c7 100644
	--- a/ext/snmp/snmp.c
	+++ b/ext/snmp/snmp.c
	@@ -2095,6 +2095,14 @@ static int php_snmp_has_property(zval object, zval member, int has_set_exists,
	}
	/* }}} */

	+static HashTable php_snmp_get_gc(zval object, zval **gc_data, int gc_data_count TSRMLS_DC) /* {{{ */
	+{
	+ *gc_data = NULL;
	+ *gc_data_count = 0;
	+ return zend_std_get_properties(object TSRMLS_CC);
	+}
	+/* }}} */
	+
	/* {{{ php_snmp_get_properties(zval *object)
	Returns all object properties. Injects SNMP properties into object on first call */
	static HashTable php_snmp_get_properties(zval object TSRMLS_DC)
	@@ -2401,6 +2409,7 @@ PHP_MINIT_FUNCTION(snmp)
	php_snmp_object_handlers.write_property = php_snmp_write_property;
	php_snmp_object_handlers.has_property = php_snmp_has_property;
	php_snmp_object_handlers.get_properties = php_snmp_get_properties;
	+ php_snmp_object_handlers.get_gc = php_snmp_get_gc;

	/* Register SNMP Class */
	INIT_CLASS_ENTRY(ce, "SNMP", php_snmp_class_methods);
	diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt
	new file mode 100644
	index 0000000..0308754
	--- /dev/null
	+++ b/ext/snmp/tests/bug72479.phpt
	@@ -0,0 +1,35 @@
	+--TEST--
	+Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
	+--SKIPIF--
	+<?php
	+require_once(dirname(__FILE__).'/skipif.inc');
	+?>
	+--FILE--
	+<?php
	+$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
	+$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
	+$out = unserialize($poc);
	+gc_collect_cycles();
	+$fakezval = ptr2str(1122334455);
	+$fakezval .= ptr2str(0);
	+$fakezval .= "\x00\x00\x00\x00";
	+$fakezval .= "\x01";
	+$fakezval .= "\x00";
	+$fakezval .= "\x00\x00";
	+for ($i = 0; $i < 5; $i++) {
	+ $v[$i] = $fakezval.$i;
	+}
	+var_dump($out[1]);
	+
	+function ptr2str($ptr)
	+{
	+ $out = '';
	+ for ($i = 0; $i < 8; $i++) {
	+ $out .= chr($ptr & 0xff);
	+ $ptr >>= 8;
	+ }
	+ return $out;
	+}
	+?>
	+--EXPECT--
	+int(1)
	\ No newline at end of file