mike                                     Fri, 02 Dec 2011 11:50:22 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=320279

Log:
Fixed bug #60240 (invalid read/writes when unserializing specially crafted 
strings)

Bug: https://bugs.php.net/60240 (Assigned) invalid read/writes when 
unserializing specially crafted strings
      
Changed paths:
    U   php/php-src/branches/PHP_5_4/NEWS
    U   php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c
    U   
php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
    U   php/php-src/trunk/ext/spl/spl_observer.c
    U   php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS   2011-12-02 10:46:53 UTC (rev 320278)
+++ php/php-src/branches/PHP_5_4/NEWS   2011-12-02 11:50:22 UTC (rev 320279)
@@ -4,6 +4,8 @@
 - Core:
   . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
     (php at mickweiss dot com)
+  . Fixed bug #60240 (invalid read/writes when unserializing specially crafted
+    strings). (Mike)

 - CLI SAPI:
   . Implement FR #60390 (Missing $_SERVER['SERVER_PORT']). (Pierre)

Modified: php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c 2011-12-02 10:46:53 UTC 
(rev 320278)
+++ php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c 2011-12-02 11:50:22 UTC 
(rev 320279)
@@ -836,13 +836,11 @@

        ALLOC_INIT_ZVAL(pcount);
        if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) 
|| Z_TYPE_P(pcount) != IS_LONG) {
-               zval_ptr_dtor(&pcount);
                goto outexcept;
        }

        --p; /* for ';' */
        count = Z_LVAL_P(pcount);
-       zval_ptr_dtor(&pcount);

        while(count-- > 0) {
                spl_SplObjectStorageElement *pelement;
@@ -920,11 +918,16 @@
        zval_ptr_dtor(&pmembers);

        /* done reading $serialized */
-
+       if (pcount) {
+               zval_ptr_dtor(&pcount);
+       }
        PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
        return;

 outexcept:
+       if (pcount) {
+               zval_ptr_dtor(&pcount);
+       }
        PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
        zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, 
"Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
        return;

Modified: 
php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
    2011-12-02 10:46:53 UTC (rev 320278)
+++ 
php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
    2011-12-02 11:50:22 UTC (rev 320279)
@@ -5,8 +5,8 @@

 $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 );
 foreach($badblobs as $blob) {
 try {

Modified: php/php-src/trunk/ext/spl/spl_observer.c
===================================================================
--- php/php-src/trunk/ext/spl/spl_observer.c    2011-12-02 10:46:53 UTC (rev 
320278)
+++ php/php-src/trunk/ext/spl/spl_observer.c    2011-12-02 11:50:22 UTC (rev 
320279)
@@ -836,13 +836,11 @@

        ALLOC_INIT_ZVAL(pcount);
        if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) 
|| Z_TYPE_P(pcount) != IS_LONG) {
-               zval_ptr_dtor(&pcount);
                goto outexcept;
        }

        --p; /* for ';' */
        count = Z_LVAL_P(pcount);
-       zval_ptr_dtor(&pcount);

        while(count-- > 0) {
                spl_SplObjectStorageElement *pelement;
@@ -920,11 +918,16 @@
        zval_ptr_dtor(&pmembers);

        /* done reading $serialized */
-
+       if (pcount) {
+               zval_ptr_dtor(&pcount);
+       }
        PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
        return;

 outexcept:
+       if (pcount) {
+               zval_ptr_dtor(&pcount);
+       }
        PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
        zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, 
"Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
        return;

Modified: php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
===================================================================
--- php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt       
2011-12-02 10:46:53 UTC (rev 320278)
+++ php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt       
2011-12-02 11:50:22 UTC (rev 320279)
@@ -5,8 +5,8 @@

 $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
-'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 );
 foreach($badblobs as $blob) {
 try {

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to