This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| commit e9d961ee18c6dba28a3a7670a3de29dfa349148e | |
| Author: Stanislav Malyshev <stas@php.net> | |
| Date: Sat Aug 1 21:51:08 2015 -0700 | |
| Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList) | |
| diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c | |
| index b5ddfc0..011d7a6 100644 | |
| --- a/ext/spl/spl_dllist.c | |
| +++ b/ext/spl/spl_dllist.c | |
| @@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) | |
| zval_ptr_dtor(&flags); | |
| goto error; | |
| } | |
| + var_push_dtor(&var_hash, &flags); | |
| intern->flags = Z_LVAL_P(flags); | |
| zval_ptr_dtor(&flags); | |
| diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt | |
| new file mode 100644 | |
| index 0000000..9d814be | |
| --- /dev/null | |
| +++ b/ext/spl/tests/bug70169.phpt | |
| @@ -0,0 +1,30 @@ | |
| +--TEST-- | |
| +SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList | |
| +--FILE-- | |
| +<?php | |
| +$inner = 'i:1;'; | |
| +$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; | |
| + | |
| +$data = unserialize($exploit); | |
| + | |
| +for($i = 0; $i < 5; $i++) { | |
| + $v[$i] = 'hi'.$i; | |
| +} | |
| + | |
| +var_dump($data); | |
| +?> | |
| +===DONE=== | |
| +--EXPECTF-- | |
| +array(2) { | |
| + [0]=> | |
| + object(SplDoublyLinkedList)#%d (2) { | |
| + ["flags":"SplDoublyLinkedList":private]=> | |
| + int(1) | |
| + ["dllist":"SplDoublyLinkedList":private]=> | |
| + array(0) { | |
| + } | |
| + } | |
| + [1]=> | |
| + int(1) | |
| +} | |
| +===DONE=== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment