Commit681a1af

committed

Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5: update news add CVE add missing test file Fix bug #68594 - Use after free vulnerability in unserialize()Conflicts:ext/standard/var_unserializer.c

2 parents181f34f +8efd73c commit681a1afCopy full SHA for 681a1af

File tree

3 files changed

+62

-32

lines changed

ext/standard
- tests/serialize
  - bug68594.phpt
- var_unserializer.c
- var_unserializer.re

3 files changed

+62

-32

lines changed

`‎ext/standard/tests/serialize/bug68594.phpt‎`

Lines changed: 23 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,23 @@`
	`1`	`+--TEST--`
	`2`	`+Bug #68545 Use after free vulnerability in unserialize()`
	`3`	`+--FILE--`
	`4`	`+<?php`
	`5`	`+for ($i=4;$i<100;$i++) {`
	`6`	`+$m =newStdClass();`
	`7`	`+`
	`8`	`+$u =array(1);`
	`9`	`+`
	`10`	`+$m->aaa =array(1,2,&$u,4,5);`
	`11`	`+$m->bbb =1;`
	`12`	`+$m->ccc = &$u;`
	`13`	`+$m->ddd =str_repeat("A",$i);`
	`14`	`+`
	`15`	`+$z =serialize($m);`
	`16`	`+$z =str_replace("bbb","aaa",$z);`
	`17`	`+$y =unserialize($z);`
	`18`	`+$z =serialize($y);`
	`19`	`+}`
	`20`	`+?>`
	`21`	`+===DONE===`
	`22`	`+--EXPECTF--`
	`23`	`+===DONE===`

`‎ext/standard/var_unserializer.c‎`

Lines changed: 36 additions & 32 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* Generated by re2c 0.13.5 */`
	`1`	`+/* Generated by re2c 0.13.7.5 */`
`2`	`2`	`#line 1 "ext/standard/var_unserializer.re"`
`3`	`3`	`/*`
`4`	`4`	`+----------------------------------------------------------------------+`
`@@ -342,6 +342,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long`
`342`	`342`	`}else {`
`343`	`343`	`/* object properties should include no integers */`
`344`	`344`	`convert_to_string(key);`
	`345`	`+if (zend_symtable_find(ht,Z_STRVAL_P(key),Z_STRLEN_P(key)+1, (void**)&old_data)==SUCCESS) {`
	`346`	`+var_push_dtor(var_hash,old_data);`
	`347`	`+}`
`345`	`348`	`zend_hash_update(ht,Z_STRVAL_P(key),Z_STRLEN_P(key)+1,&data,`
`346`	`349`	`sizeofdata,NULL);`
`347`	`350`	`}`
`@@ -475,7 +478,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`475`	`478`
`476`	`479`
`477`	`480`
`478`		`-#line479 "ext/standard/var_unserializer.c"`
	`481`	`+#line482 "ext/standard/var_unserializer.c"`
`479`	`482`	`{`
`480`	`483`	`YYCTYPEyych;`
`481`	`484`	`staticconstunsignedcharyybm[]= {`
`@@ -535,9 +538,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`535`	`538`	`yych=*(YYMARKER=++YYCURSOR);`
`536`	`539`	`if (yych==':') gotoyy95;`
`537`	`540`	`yy3:`
`538`		`-#line830 "ext/standard/var_unserializer.re"`
	`541`	`+#line833 "ext/standard/var_unserializer.re"`
`539`	`542`	`{return0; }`
`540`		`-#line541 "ext/standard/var_unserializer.c"`
	`543`	`+#line544 "ext/standard/var_unserializer.c"`
`541`	`544`	`yy4:`
`542`	`545`	`yych=*(YYMARKER=++YYCURSOR);`
`543`	`546`	`if (yych==':') gotoyy89;`
`@@ -580,13 +583,13 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`580`	`583`	`gotoyy3;`
`581`	`584`	`yy14:`
`582`	`585`	`++YYCURSOR;`
`583`		`-#line824 "ext/standard/var_unserializer.re"`
	`586`	`+#line827 "ext/standard/var_unserializer.re"`
`584`	`587`	`{`
`585`	`588`	`/* this is the case where we have less data than planned */`
`586`	`589`	`php_error_docref(NULLTSRMLS_CC,E_NOTICE,"Unexpected end of serialized data");`
`587`	`590`	`return0;/* not sure if it should be 0 or 1 here? */`
`588`	`591`	`}`
`589`		`-#line590 "ext/standard/var_unserializer.c"`
	`592`	`+#line593 "ext/standard/var_unserializer.c"`
`590`	`593`	`yy16:`
`591`	`594`	`yych=*++YYCURSOR;`
`592`	`595`	`gotoyy3;`
`@@ -612,11 +615,12 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`612`	`615`	`if (yybm[0+yych]&128) {`
`613`	`616`	`gotoyy20;`
`614`	`617`	`}`
`615`		`-if (yych!=':') gotoyy18;`
	`618`	`+if (yych <='/') gotoyy18;`
	`619`	`+if (yych >=';') gotoyy18;`
`616`	`620`	`yych=*++YYCURSOR;`
`617`	`621`	`if (yych!='"') gotoyy18;`
`618`	`622`	`++YYCURSOR;`
`619`		`-#line678 "ext/standard/var_unserializer.re"`
	`623`	`+#line681 "ext/standard/var_unserializer.re"`
`620`	`624`	`{`
`621`	`625`	`size_tlen,len2,len3,maxlen;`
`622`	`626`	`longelements;`
`@@ -762,7 +766,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`762`	`766`
`763`	`767`	`returnobject_common2(UNSERIALIZE_PASSTHRU,elements);`
`764`	`768`	`}`
`765`		`-#line766 "ext/standard/var_unserializer.c"`
	`769`	`+#line770 "ext/standard/var_unserializer.c"`
`766`	`770`	`yy25:`
`767`	`771`	`yych=*++YYCURSOR;`
`768`	`772`	`if (yych <=',') {`
`@@ -787,15 +791,15 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`787`	`791`	`yych=*++YYCURSOR;`
`788`	`792`	`if (yych!='"') gotoyy18;`
`789`	`793`	`++YYCURSOR;`
`790`		`-#line670 "ext/standard/var_unserializer.re"`
	`794`	`+#line673 "ext/standard/var_unserializer.re"`
`791`	`795`	`{`
`792`	`796`
`793`	`797`	`INIT_PZVAL(*rval);`
`794`	`798`
`795`	`799`	`returnobject_common2(UNSERIALIZE_PASSTHRU,`
`796`	`800`	`object_common1(UNSERIALIZE_PASSTHRU,ZEND_STANDARD_CLASS_DEF_PTR));`
`797`	`801`	`}`
`798`		`-#line799 "ext/standard/var_unserializer.c"`
	`802`	`+#line803 "ext/standard/var_unserializer.c"`
`799`	`803`	`yy32:`
`800`	`804`	`yych=*++YYCURSOR;`
`801`	`805`	`if (yych=='+') gotoyy33;`
`@@ -816,7 +820,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`816`	`820`	`yych=*++YYCURSOR;`
`817`	`821`	`if (yych!='{') gotoyy18;`
`818`	`822`	`++YYCURSOR;`
`819`		`-#line650 "ext/standard/var_unserializer.re"`
	`823`	`+#line653 "ext/standard/var_unserializer.re"`
`820`	`824`	`{`
`821`	`825`	`longelements=parse_iv(start+2);`
`822`	`826`	`/* use iv() not uiv() in order to check data range */`
`@@ -836,7 +840,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`836`	`840`
`837`	`841`	`returnfinish_nested_data(UNSERIALIZE_PASSTHRU);`
`838`	`842`	`}`
`839`		`-#line840 "ext/standard/var_unserializer.c"`
	`843`	`+#line844 "ext/standard/var_unserializer.c"`
`840`	`844`	`yy39:`
`841`	`845`	`yych=*++YYCURSOR;`
`842`	`846`	`if (yych=='+') gotoyy40;`
`@@ -857,7 +861,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`857`	`861`	`yych=*++YYCURSOR;`
`858`	`862`	`if (yych!='"') gotoyy18;`
`859`	`863`	`++YYCURSOR;`
`860`		`-#line621 "ext/standard/var_unserializer.re"`
	`864`	`+#line624 "ext/standard/var_unserializer.re"`
`861`	`865`	`{`
`862`	`866`	`size_tlen,maxlen;`
`863`	`867`	`char*str;`
`@@ -886,7 +890,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`886`	`890`	`ZVAL_STRINGL(*rval,str,len,0);`
`887`	`891`	`return1;`
`888`	`892`	`}`
`889`		`-#line890 "ext/standard/var_unserializer.c"`
	`893`	`+#line894 "ext/standard/var_unserializer.c"`
`890`	`894`	`yy46:`
`891`	`895`	`yych=*++YYCURSOR;`
`892`	`896`	`if (yych=='+') gotoyy47;`
`@@ -907,7 +911,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`907`	`911`	`yych=*++YYCURSOR;`
`908`	`912`	`if (yych!='"') gotoyy18;`
`909`	`913`	`++YYCURSOR;`
`910`		`-#line593 "ext/standard/var_unserializer.re"`
	`914`	`+#line596 "ext/standard/var_unserializer.re"`
`911`	`915`	`{`
`912`	`916`	`size_tlen,maxlen;`
`913`	`917`	`char*str;`
`@@ -935,7 +939,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`935`	`939`	`ZVAL_STRINGL(*rval,str,len,1);`
`936`	`940`	`return1;`
`937`	`941`	`}`
`938`		`-#line939 "ext/standard/var_unserializer.c"`
	`942`	`+#line943 "ext/standard/var_unserializer.c"`
`939`	`943`	`yy53:`
`940`	`944`	`yych=*++YYCURSOR;`
`941`	`945`	`if (yych <='/') {`
`@@ -1023,7 +1027,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1023`	`1027`	`}`
`1024`	`1028`	`yy63:`
`1025`	`1029`	`++YYCURSOR;`
`1026`		`-#line583 "ext/standard/var_unserializer.re"`
	`1030`	`+#line586 "ext/standard/var_unserializer.re"`
`1027`	`1031`	`{`
`1028`	`1032`	`#ifSIZEOF_LONG==4`
`1029`	`1033`	`use_double:`
`@@ -1033,7 +1037,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1033`	`1037`	`ZVAL_DOUBLE(rval,zend_strtod((constchar)start+2,NULL));`
`1034`	`1038`	`return1;`
`1035`	`1039`	`}`
`1036`		`-#line1037 "ext/standard/var_unserializer.c"`
	`1040`	`+#line1041 "ext/standard/var_unserializer.c"`
`1037`	`1041`	`yy65:`
`1038`	`1042`	`yych=*++YYCURSOR;`
`1039`	`1043`	`if (yych <=',') {`
`@@ -1092,7 +1096,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1092`	`1096`	`yych=*++YYCURSOR;`
`1093`	`1097`	`if (yych!=';') gotoyy18;`
`1094`	`1098`	`++YYCURSOR;`
`1095`		`-#line568 "ext/standard/var_unserializer.re"`
	`1099`	`+#line571 "ext/standard/var_unserializer.re"`
`1096`	`1100`	`{`
`1097`	`1101`	`*p=YYCURSOR;`
`1098`	`1102`	`INIT_PZVAL(*rval);`
`@@ -1107,7 +1111,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1107`	`1111`
`1108`	`1112`	`return1;`
`1109`	`1113`	`}`
`1110`		`-#line1111 "ext/standard/var_unserializer.c"`
	`1114`	`+#line1115 "ext/standard/var_unserializer.c"`
`1111`	`1115`	`yy76:`
`1112`	`1116`	`yych=*++YYCURSOR;`
`1113`	`1117`	`if (yych=='N') gotoyy73;`
`@@ -1134,7 +1138,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1134`	`1138`	`if (yych <='9') gotoyy79;`
`1135`	`1139`	`if (yych!=';') gotoyy18;`
`1136`	`1140`	`++YYCURSOR;`
`1137`		`-#line541 "ext/standard/var_unserializer.re"`
	`1141`	`+#line544 "ext/standard/var_unserializer.re"`
`1138`	`1142`	`{`
`1139`	`1143`	`#ifSIZEOF_LONG==4`
`1140`	`1144`	`intdigits=YYCURSOR-start-3;`
`@@ -1161,32 +1165,32 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1161`	`1165`	`ZVAL_LONG(*rval,parse_iv(start+2));`
`1162`	`1166`	`return1;`
`1163`	`1167`	`}`
`1164`		`-#line1165 "ext/standard/var_unserializer.c"`
	`1168`	`+#line1169 "ext/standard/var_unserializer.c"`
`1165`	`1169`	`yy83:`
`1166`	`1170`	`yych=*++YYCURSOR;`
`1167`	`1171`	`if (yych <='/') gotoyy18;`
`1168`	`1172`	`if (yych >='2') gotoyy18;`
`1169`	`1173`	`yych=*++YYCURSOR;`
`1170`	`1174`	`if (yych!=';') gotoyy18;`
`1171`	`1175`	`++YYCURSOR;`
`1172`		`-#line534 "ext/standard/var_unserializer.re"`
	`1176`	`+#line537 "ext/standard/var_unserializer.re"`
`1173`	`1177`	`{`
`1174`	`1178`	`*p=YYCURSOR;`
`1175`	`1179`	`INIT_PZVAL(*rval);`
`1176`	`1180`	`ZVAL_BOOL(*rval,parse_iv(start+2));`
`1177`	`1181`	`return1;`
`1178`	`1182`	`}`
`1179`		`-#line1180 "ext/standard/var_unserializer.c"`
	`1183`	`+#line1184 "ext/standard/var_unserializer.c"`
`1180`	`1184`	`yy87:`
`1181`	`1185`	`++YYCURSOR;`
`1182`		`-#line527 "ext/standard/var_unserializer.re"`
	`1186`	`+#line530 "ext/standard/var_unserializer.re"`
`1183`	`1187`	`{`
`1184`	`1188`	`*p=YYCURSOR;`
`1185`	`1189`	`INIT_PZVAL(*rval);`
`1186`	`1190`	`ZVAL_NULL(*rval);`
`1187`	`1191`	`return1;`
`1188`	`1192`	`}`
`1189`		`-#line1190 "ext/standard/var_unserializer.c"`
	`1193`	`+#line1194 "ext/standard/var_unserializer.c"`
`1190`	`1194`	`yy89:`
`1191`	`1195`	`yych=*++YYCURSOR;`
`1192`	`1196`	`if (yych <=',') {`
`@@ -1209,7 +1213,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1209`	`1213`	`if (yych <='9') gotoyy91;`
`1210`	`1214`	`if (yych!=';') gotoyy18;`
`1211`	`1215`	`++YYCURSOR;`
`1212`		`-#line504 "ext/standard/var_unserializer.re"`
	`1216`	`+#line507 "ext/standard/var_unserializer.re"`
`1213`	`1217`	`{`
`1214`	`1218`	`longid;`
`1215`	`1219`
`@@ -1232,7 +1236,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1232`	`1236`
`1233`	`1237`	`return1;`
`1234`	`1238`	`}`
`1235`		`-#line1236 "ext/standard/var_unserializer.c"`
	`1239`	`+#line1240 "ext/standard/var_unserializer.c"`
`1236`	`1240`	`yy95:`
`1237`	`1241`	`yych=*++YYCURSOR;`
`1238`	`1242`	`if (yych <=',') {`
`@@ -1255,7 +1259,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1255`	`1259`	`if (yych <='9') gotoyy97;`
`1256`	`1260`	`if (yych!=';') gotoyy18;`
`1257`	`1261`	`++YYCURSOR;`
`1258`		`-#line483 "ext/standard/var_unserializer.re"`
	`1262`	`+#line486 "ext/standard/var_unserializer.re"`
`1259`	`1263`	`{`
`1260`	`1264`	`longid;`
`1261`	`1265`
`@@ -1276,9 +1280,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)`
`1276`	`1280`
`1277`	`1281`	`return1;`
`1278`	`1282`	`}`
`1279`		`-#line1280 "ext/standard/var_unserializer.c"`
	`1283`	`+#line1284 "ext/standard/var_unserializer.c"`
`1280`	`1284`	`}`
`1281`		`-#line832 "ext/standard/var_unserializer.re"`
	`1285`	`+#line835 "ext/standard/var_unserializer.re"`
`1282`	`1286`
`1283`	`1287`
`1284`	`1288`	`return0;`

`‎ext/standard/var_unserializer.re‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -346,6 +346,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long`
`346`	`346`	`}else {`
`347`	`347`	`/* object properties should include no integers*/`
`348`	`348`	`convert_to_string(key);`
	`349`	`+if (zend_symtable_find(ht,Z_STRVAL_P(key),Z_STRLEN_P(key) +1, (void **)&old_data)==SUCCESS) {`
	`350`	`+var_push_dtor(var_hash, old_data);`
	`351`	`+}`
`349`	`352`	`zend_hash_update(ht,Z_STRVAL_P(key),Z_STRLEN_P(key) +1, &data,`
`350`	`353`	`sizeof data,NULL);`
`351`	`354`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit681a1af

File tree

3 files changed

3 files changed

`‎ext/standard/tests/serialize/bug68594.phpt‎`

`‎ext/standard/var_unserializer.c‎`

`‎ext/standard/var_unserializer.re‎`

0 commit comments