commit e9d961ee18c6dba28a3a7670a3de29dfa349148e | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Aug 1 21:51:08 2015 -0700 | |
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList) | |
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c | |
index b5ddfc0..011d7a6 100644 | |
--- a/ext/spl/spl_dllist.c | |
+++ b/ext/spl/spl_dllist.c | |
@@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) | |
zval_ptr_dtor(&flags); | |
goto error; | |
} | |
+ var_push_dtor(&var_hash, &flags); | |
intern->flags = Z_LVAL_P(flags); | |
zval_ptr_dtor(&flags); | |
diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt | |
new file mode 100644 | |
index 0000000..9d814be | |
--- /dev/null | |
+++ b/ext/spl/tests/bug70169.phpt | |
@@ -0,0 +1,30 @@ | |
+--TEST-- | |
+SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList | |
+--FILE-- | |
+<?php | |
+$inner = 'i:1;'; | |
+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; | |
+ | |
+$data = unserialize($exploit); | |
+ | |
+for($i = 0; $i < 5; $i++) { | |
+ $v[$i] = 'hi'.$i; | |
+} | |
+ | |
+var_dump($data); | |
+?> | |
+===DONE=== | |
+--EXPECTF-- | |
+array(2) { | |
+ [0]=> | |
+ object(SplDoublyLinkedList)#%d (2) { | |
+ ["flags":"SplDoublyLinkedList":private]=> | |
+ int(1) | |
+ ["dllist":"SplDoublyLinkedList":private]=> | |
+ array(0) { | |
+ } | |
+ } | |
+ [1]=> | |
+ int(1) | |
+} | |
+===DONE=== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment