-
-
Save cmb69/b05cceb34e310438ab960ec3bbd1a59b to your computer and use it in GitHub Desktop.
PHP bug #81708
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 6fc79c90a07672992b39d8d4fc95ad4023f751ae Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Mon, 31 Jan 2022 15:43:24 +0100 | |
Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints | |
We must only release the zval, if we actually assign a new zval. | |
--- | |
ext/filter/logical_filters.c | 2 +- | |
ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++ | |
2 files changed, 21 insertions(+), 1 deletion(-) | |
create mode 100644 ext/filter/tests/bug81708.phpt | |
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c | |
index fa6ae65ac5..e5e87c0156 100644 | |
--- a/ext/filter/logical_filters.c | |
+++ b/ext/filter/logical_filters.c | |
@@ -435,10 +435,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ | |
switch (is_numeric_string(num, p - num, &lval, &dval, 0)) { | |
case IS_LONG: | |
- zval_ptr_dtor(value); | |
if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) { | |
goto error; | |
} | |
+ zval_ptr_dtor(value); | |
ZVAL_DOUBLE(value, (double)lval); | |
break; | |
case IS_DOUBLE: | |
diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt | |
new file mode 100644 | |
index 0000000000..d0036af136 | |
--- /dev/null | |
+++ b/ext/filter/tests/bug81708.phpt | |
@@ -0,0 +1,20 @@ | |
+--TEST-- | |
+Bug #81708 (UAF due to php_filter_float() failing for ints) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded("filter")) die("skip filter extension not available"); | |
+?> | |
+--INI-- | |
+opcache.enable_cli=0 | |
+--FILE-- | |
+<?php | |
+$input = "+" . str_repeat("1", 2); // avoid string interning | |
+filter_var( | |
+ $input, | |
+ FILTER_VALIDATE_FLOAT, | |
+ ["options" => ['min_range' => -1, 'max_range' => 1]] | |
+); | |
+var_dump($input); | |
+?> | |
+--EXPECT-- | |
+string(3) "+11" | |
-- | |
2.35.1.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment