Skip to content

Instantly share code, notes, and snippets.

@smalyshev smalyshev/70168.diff Secret
Created Aug 2, 2015

Embed
What would you like to do?
commit 329ccf32cbeabb616c58fdaed051161c9048a793
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Aug 1 21:12:38 2015 -0700
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index da9110b..5d94a3b 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -832,6 +832,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
goto outexcept;
}
+ var_push_dtor(&var_hash, &pcount);
--p; /* for ';' */
count = Z_LVAL_P(pcount);
@@ -903,6 +904,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
diff --git a/ext/spl/tests/bug70168.phpt b/ext/spl/tests/bug70168.phpt
new file mode 100644
index 0000000..192f0f3
--- /dev/null
+++ b/ext/spl/tests/bug70168.phpt
@@ -0,0 +1,19 @@
+--TEST--
+SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage
+--FILE--
+<?php
+$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}';
+$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data[1]);
+?>
+===DONE===
+--EXPECT--
+int(1)
+===DONE===
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.