Skip to content

Instantly share code, notes, and snippets.

@smalyshev

smalyshev/70169.diff Secret

Created Aug 2, 2015
Embed
What would you like to do?
commit e9d961ee18c6dba28a3a7670a3de29dfa349148e
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Aug 1 21:51:08 2015 -0700
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index b5ddfc0..011d7a6 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&flags);
goto error;
}
+ var_push_dtor(&var_hash, &flags);
intern->flags = Z_LVAL_P(flags);
zval_ptr_dtor(&flags);
diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt
new file mode 100644
index 0000000..9d814be
--- /dev/null
+++ b/ext/spl/tests/bug70169.phpt
@@ -0,0 +1,30 @@
+--TEST--
+SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+$inner = 'i:1;';
+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+ [0]=>
+ object(SplDoublyLinkedList)#%d (2) {
+ ["flags":"SplDoublyLinkedList":private]=>
+ int(1)
+ ["dllist":"SplDoublyLinkedList":private]=>
+ array(0) {
+ }
+ }
+ [1]=>
+ int(1)
+}
+===DONE===
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.