]>
Commit | Line | Data |
---|---|---|
9fd17760 ER |
1 | diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt |
2 | --- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt 1970-01-01 00:00:00.000000000 +0000 | |
3 | +++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-01-24 14:53:04.321385336 +0000 | |
4 | @@ -0,0 +1,25 @@ | |
5 | +--TEST-- | |
6 | +Bug #68710 Use after free vulnerability in unserialize() (bypassing the | |
7 | +CVE-2014-8142 fix) | |
8 | +--FILE-- | |
9 | +<?php | |
10 | +for ($i=4; $i<100; $i++) { | |
11 | + $m = new StdClass(); | |
12 | + | |
13 | + $u = array(1); | |
14 | + | |
15 | + $m->aaa = array(1,2,&$u,4,5); | |
16 | + $m->bbb = 1; | |
17 | + $m->ccc = &$u; | |
18 | + $m->ddd = str_repeat("A", $i); | |
19 | + | |
20 | + $z = serialize($m); | |
21 | + $z = str_replace("aaa", "123", $z); | |
22 | + $z = str_replace("bbb", "123", $z); | |
23 | + $y = unserialize($z); | |
24 | + $z = serialize($y); | |
25 | +} | |
26 | +?> | |
27 | +===DONE=== | |
28 | +--EXPECTF-- | |
29 | +===DONE=== | |
30 | diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c | |
31 | --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 14:50:14.682381430 +0000 | |
32 | +++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 14:51:47.623383570 +0000 | |
33 | @@ -298,7 +298,7 @@ | |
34 | } else { | |
35 | /* object properties should include no integers */ | |
36 | convert_to_string(key); | |
37 | - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { | |
38 | + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { | |
39 | var_push_dtor(var_hash, old_data); | |
40 | } | |
41 | zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, | |
42 | diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re | |
43 | --- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 14:50:14.685381430 +0000 | |
44 | +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 14:52:13.191384159 +0000 | |
45 | @@ -304,7 +304,7 @@ | |
46 | } else { | |
47 | /* object properties should include no integers */ | |
48 | convert_to_string(key); | |
49 | - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { | |
50 | + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { | |
51 | var_push_dtor(var_hash, old_data); | |
52 | } | |
53 | zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, |