mike Fri, 02 Dec 2011 11:50:22 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=320279
Log: Fixed bug #60240 (invalid read/writes when unserializing specially crafted strings) Bug: https://bugs.php.net/60240 (Assigned) invalid read/writes when unserializing specially crafted strings Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c U php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt U php/php-src/trunk/ext/spl/spl_observer.c U php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2011-12-02 10:46:53 UTC (rev 320278) +++ php/php-src/branches/PHP_5_4/NEWS 2011-12-02 11:50:22 UTC (rev 320279) @@ -4,6 +4,8 @@ - Core: . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e). (php at mickweiss dot com) + . Fixed bug #60240 (invalid read/writes when unserializing specially crafted + strings). (Mike) - CLI SAPI: . Implement FR #60390 (Missing $_SERVER['SERVER_PORT']). (Pierre) Modified: php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c 2011-12-02 10:46:53 UTC (rev 320278) +++ php/php-src/branches/PHP_5_4/ext/spl/spl_observer.c 2011-12-02 11:50:22 UTC (rev 320279) @@ -836,13 +836,11 @@ ALLOC_INIT_ZVAL(pcount); if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pcount) != IS_LONG) { - zval_ptr_dtor(&pcount); goto outexcept; } --p; /* for ';' */ count = Z_LVAL_P(pcount); - zval_ptr_dtor(&pcount); while(count-- > 0) { spl_SplObjectStorageElement *pelement; @@ -920,11 +918,16 @@ zval_ptr_dtor(&pmembers); /* done reading $serialized */ - + if (pcount) { + zval_ptr_dtor(&pcount); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return; outexcept: + if (pcount) { + zval_ptr_dtor(&pcount); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); return; Modified: php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt =================================================================== --- php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt 2011-12-02 10:46:53 UTC (rev 320278) +++ php/php-src/branches/PHP_5_4/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt 2011-12-02 11:50:22 UTC (rev 320279) @@ -5,8 +5,8 @@ $badblobs = array( 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ); foreach($badblobs as $blob) { try { Modified: php/php-src/trunk/ext/spl/spl_observer.c =================================================================== --- php/php-src/trunk/ext/spl/spl_observer.c 2011-12-02 10:46:53 UTC (rev 320278) +++ php/php-src/trunk/ext/spl/spl_observer.c 2011-12-02 11:50:22 UTC (rev 320279) @@ -836,13 +836,11 @@ ALLOC_INIT_ZVAL(pcount); if (!php_var_unserialize(&pcount, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pcount) != IS_LONG) { - zval_ptr_dtor(&pcount); goto outexcept; } --p; /* for ';' */ count = Z_LVAL_P(pcount); - zval_ptr_dtor(&pcount); while(count-- > 0) { spl_SplObjectStorageElement *pelement; @@ -920,11 +918,16 @@ zval_ptr_dtor(&pmembers); /* done reading $serialized */ - + if (pcount) { + zval_ptr_dtor(&pcount); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return; outexcept: + if (pcount) { + zval_ptr_dtor(&pcount); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); return; Modified: php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt =================================================================== --- php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt 2011-12-02 10:46:53 UTC (rev 320278) +++ php/php-src/trunk/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt 2011-12-02 11:50:22 UTC (rev 320279) @@ -5,8 +5,8 @@ $badblobs = array( 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ); foreach($badblobs as $blob) { try {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
