smalyshev/70166.diff Secret

## 69 changes: 69 additions & 0 deletions 70166.diff
@@ -0,0 +1,69 @@

    commit ca594eda0cc7da6f10a624496a21f49b9ce10283
commit ca594eda0cc7da6f10a624496a21f49b9ce10283

    Author: Stanislav Malyshev <stas@php.net>
Author: Stanislav Malyshev <stas@php.net>

    Date:   Sat Aug 1 21:45:19 2015 -0700
Date:   Sat Aug 1 21:45:19 2015 -0700


        Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
    Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject


    diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c

    index a37eced..86608c0 100644
index a37eced..86608c0 100644

    --- a/ext/spl/spl_array.c
--- a/ext/spl/spl_array.c

    +++ b/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c

    @@ -1777,6 +1777,7 @@ SPL_METHOD(Array, unserialize)
@@ -1777,6 +1777,7 @@ SPL_METHOD(Array, unserialize)

     		goto outexcept;
 		goto outexcept;

     	}
 	}


    +	var_push_dtor(&var_hash, &pflags);
+	var_push_dtor(&var_hash, &pflags);

     	--p; /* for ';' */
 	--p; /* for ';' */

     	flags = Z_LVAL_P(pflags);
 	flags = Z_LVAL_P(pflags);

     	/* flags needs to be verified and we also need to verify whether the next
 	/* flags needs to be verified and we also need to verify whether the next

    @@ -1800,6 +1801,7 @@ SPL_METHOD(Array, unserialize)
@@ -1800,6 +1801,7 @@ SPL_METHOD(Array, unserialize)

     		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {

     			goto outexcept;
 			goto outexcept;

     		}
 		}

    +		var_push_dtor(&var_hash, &intern->array);
+		var_push_dtor(&var_hash, &intern->array);

     	}
 	}

     	if (*p != ';') {
 	if (*p != ';') {

     		goto outexcept;
 		goto outexcept;

    @@ -1818,6 +1820,7 @@ SPL_METHOD(Array, unserialize)
@@ -1818,6 +1820,7 @@ SPL_METHOD(Array, unserialize)

     		goto outexcept;
 		goto outexcept;

     	}
 	}


    +	var_push_dtor(&var_hash, &pmembers);
+	var_push_dtor(&var_hash, &pmembers);

     	/* copy members */
 	/* copy members */

     	if (!intern->std.properties) {
 	if (!intern->std.properties) {

     		rebuild_object_properties(&intern->std);
 		rebuild_object_properties(&intern->std);

    diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt
diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt

    new file mode 100644
new file mode 100644

    index 0000000..51a3596
index 0000000..51a3596

    --- /dev/null
--- /dev/null

    +++ b/ext/spl/tests/bug70166.phpt
+++ b/ext/spl/tests/bug70166.phpt

    @@ -0,0 +1,29 @@
@@ -0,0 +1,29 @@

    +--TEST--
+--TEST--

    +SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject
+SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject

    +--FILE--
+--FILE--

    +<?php
+<?php

    +$inner = 'x:i:1;a:0:{};m:a:0:{}';
+$inner = 'x:i:1;a:0:{};m:a:0:{}';

    +$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';
+$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';

    +
+

    +$data = unserialize($exploit);
+$data = unserialize($exploit);

    +
+

    +for($i = 0; $i < 5; $i++) {
+for($i = 0; $i < 5; $i++) {

    +    $v[$i] = 'hi'.$i;
+    $v[$i] = 'hi'.$i;

    +}
+}

    +
+

    +var_dump($data);
+var_dump($data);

    +?>
+?>

    +===DONE===
+===DONE===

    +--EXPECTF--
+--EXPECTF--

    +array(2) {
+array(2) {

    +  [0]=>
+  [0]=>

    +  object(ArrayObject)#%d (1) {
+  object(ArrayObject)#%d (1) {

    +    ["storage":"ArrayObject":private]=>
+    ["storage":"ArrayObject":private]=>

    +    array(0) {
+    array(0) {

    +    }
+    }

    +  }
+  }

    +  [1]=>
+  [1]=>

    +  array(0) {
+  array(0) {

    +  }
+  }

    +}
+}

    +===DONE===
+===DONE===