Merge branch 'bug68710' into PHP-5.4

smalyshev · smalyshev · commit e63f7b47e193 · 2015-01-20T01:02:26.000-08:00
* bug68710:
  Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())
diff --git a/NEWS b/NEWS
@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20?? PHP 5.4.37
+- Core:
+  . Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()).
+    (CVE-2015-0231) (Stefan Esser)
+
 - CGI:
   . Fixed bug #68618 (out of bounds read crashes php-cgi). (Stas)
 
diff --git a/ext/standard/tests/strings/bug68710.phpt b/ext/standard/tests/strings/bug68710.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #68710 Use after free vulnerability in unserialize() (bypassing the
+CVE-2014-8142 fix)
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+    $m = new StdClass();
+
+    $u = array(1);
+
+    $m->aaa = array(1,2,&$u,4,5);
+    $m->bbb = 1;
+    $m->ccc = &$u;
+    $m->ddd = str_repeat("A", $i);
+
+    $z = serialize($m);
+    $z = str_replace("aaa", "123", $z);
+    $z = str_replace("bbb", "123", $z);
+    $y = unserialize($z);
+    $z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.7.5 on Thu Dec 11 19:26:19 2014 */
+/* Generated by re2c 0.13.7.5 on Thu Jan  1 14:43:18 2015 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -343,7 +343,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
-			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 				var_push_dtor(var_hash, old_data);
 			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
-			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 				var_push_dtor(var_hash, old_data);
 			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,

Original file line number	Diff line number	Diff line change
`@@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long`
`347`	`347`	`} else {`
`348`	`348`	`/* object properties should include no integers */`
`349`	`349`	`convert_to_string(key);`
`350`		`- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {`
	`350`	`+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {`
`351`	`351`	`var_push_dtor(var_hash, old_data);`
`352`	`352`	`}`
`353`	`353`	`zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,`