]>
Commit | Line | Data |
---|---|---|
9fd17760 ER |
1 | diff -Naur php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt php-5.3.29/ext/standard/tests/serialize/bug68594.phpt |
2 | --- php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt 1970-01-01 00:00:00.000000000 +0000 | |
3 | +++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt 2015-01-24 13:14:16.222248839 +0000 | |
4 | @@ -0,0 +1,23 @@ | |
5 | +--TEST-- | |
6 | +Bug #68545 Use after free vulnerability in unserialize() | |
7 | +--FILE-- | |
8 | +<?php | |
9 | +for ($i=4; $i<100; $i++) { | |
10 | + $m = new StdClass(); | |
11 | + | |
12 | + $u = array(1); | |
13 | + | |
14 | + $m->aaa = array(1,2,&$u,4,5); | |
15 | + $m->bbb = 1; | |
16 | + $m->ccc = &$u; | |
17 | + $m->ddd = str_repeat("A", $i); | |
18 | + | |
19 | + $z = serialize($m); | |
20 | + $z = str_replace("bbb", "aaa", $z); | |
21 | + $y = unserialize($z); | |
22 | + $z = serialize($y); | |
23 | +} | |
24 | +?> | |
25 | +===DONE=== | |
26 | +--EXPECTF-- | |
27 | +===DONE=== | |
28 | diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c | |
29 | --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 13:05:17.310236430 +0000 | |
30 | +++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 13:09:14.269241886 +0000 | |
31 | @@ -298,6 +298,9 @@ | |
32 | } else { | |
33 | /* object properties should include no integers */ | |
34 | convert_to_string(key); | |
35 | + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { | |
36 | + var_push_dtor(var_hash, old_data); | |
37 | + } | |
38 | zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, | |
39 | sizeof data, NULL); | |
40 | } | |
41 | diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re | |
42 | --- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 13:05:17.310236430 +0000 | |
43 | +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 13:07:59.593240167 +0000 | |
44 | @@ -304,6 +304,9 @@ | |
45 | } else { | |
46 | /* object properties should include no integers */ | |
47 | convert_to_string(key); | |
48 | + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { | |
49 | + var_push_dtor(var_hash, old_data); | |
50 | + } | |
51 | zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, | |
52 | sizeof data, NULL); | |
53 | } |