Skip to content

Instantly share code, notes, and snippets.

/73341.diff Secret
Created Oct 24, 2016

Embed
What would you like to do?
Patch for 73341
commit 504ff0629f7ce8c0d4fc001673e6600f98b31e28
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Oct 23 21:56:35 2016 -0700
Fix bug #73144 and bug #73341 - remove extra dtor
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 700d609..e7cbd1f 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1812,7 +1812,7 @@ SPL_METHOD(Array, unserialize)
ALLOC_INIT_ZVAL(intern->array);
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
- zval_ptr_dtor(&intern->array);
+ // zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);
diff --git a/ext/standard/tests/serialize/bug73341.phpt b/ext/standard/tests/serialize/bug73341.phpt
new file mode 100644
index 0000000..5542321
--- /dev/null
+++ b/ext/standard/tests/serialize/bug73341.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #73144 (Use-afte-free in ArrayObject Deserialization)
+--FILE--
+<?php
+try {
+$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0';
+$obj = unserialize($token);
+} catch(Exception $e) {
+ echo $e->getMessage()."\n";
+}
+
+try {
+$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}';
+$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
+unserialize($exploit);
+} catch(Exception $e) {
+ echo $e->getMessage()."\n";
+}
+?>
+--EXPECTF--
+Error at offset 6 of 7 bytes
+
+Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d
+Error at offset 24 of 34 bytes
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.