Skip to content

Commit 1a23ebc

Browse files
nikicnikic
committed
Fixed bug #74103 and bug #75054
Directly fail unserialization when trying to acquire an r/R reference to an UNDEF HT slot. Previously this left an UNDEF and later deleted the index/key from the HT. What actually caused the issue here is a combination of two factors: First, the key deletion was performed using the hash API, rather than the symtable API, such that the element was not actually removed if it used an integral string key. Second, a subsequent deletion operation, while collecting trailing UNDEF ranges, would mark the element as available for reuse (leaving a corrupted HT state with nNumOfElemnts > nNumUsed). Fix this by failing early and dropping the deletion code.
1 parent b59718b commit 1a23ebc

File tree

5 files changed

+614
-585
lines changed

5 files changed

+614
-585
lines changed

NEWS

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,12 @@ PHP NEWS
5252
. Fixed bug #74669 (Unserialize ArrayIterator broken). (Andrew Nester)
5353
. Fixed bug #75015 (Crash in recursive iterator destructors). (Julien)
5454

55+
- Standard:
56+
. Fixed bug #74103 (heap-use-after-free when unserializing invalid array
57+
size). (Nikita)
58+
. Fixed bug #75054 (A Denial of Service Vulnerability was found when
59+
performing deserialization). (Nikita)
60+
5561
- XMLRPC:
5662
. Fixed bug #74975 (Incorrect xmlrpc serialization for classes with declared
5763
properties). (blar)

ext/standard/tests/serialize/bug74103.phpt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
--TEST--
2+
Bug #74103: heap-use-after-free when unserializing invalid array size
3+
--FILE--
4+
<?php
5+
var_dump(unserialize('a:7:{i:0;i:04;s:1:"a";i:2;i:00009617006;i:4;s:1:"a";i:4;s:1:"a";R:5;s:1:"7";R:3;s:1:"a";R:5;;s:18;}}'));
6+
?>
7+
--EXPECTF--
8+
Notice: unserialize(): Error at offset 68 of 100 bytes in %s on line %d
9+
bool(false)

ext/standard/tests/serialize/bug75054.phpt

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
--TEST--
2+
Bug #75054: A Denial of Service Vulnerability was found when performing deserialization
3+
--FILE--
4+
<?php
5+
$poc = 'a:9:{i:0;s:4:"0000";i:0;s:4:"0000";i:0;R:2;s:4:"5003";R:2;s:4:"0000";R:2;s:4:"0000";R:2;s:4:"';
6+
$poc .= "\x06";
7+
$poc .= '000";R:2;s:4:"0000";d:0;s:4:"0000";a:9:{s:4:"0000";';
8+
var_dump(unserialize($poc));
9+
?>
10+
--EXPECTF--
11+
Notice: unserialize(): Error at offset 43 of 145 bytes in %s on line %d
12+
bool(false)

0 commit comments

Comments
 (0)