diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-07-12 23:27:45 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-07-12 23:27:45 -0700 |
| commit | 3798eb6fd5dddb211b01d41495072fd9858d4e32 (patch) | |
| tree | 7c9ce47dbd689b53d9e13482b8381dc47e43e6c6 | |
| parent | aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 (diff) | |
| download | php-git-3798eb6fd5dddb211b01d41495072fd9858d4e32.tar.gz | |
Fix bug #72562 - destroy var_hash properly
| -rw-r--r-- | ext/session/session.c | 3 | ||||
| -rw-r--r-- | ext/session/tests/bug72562.phpt | 44 |
2 files changed, 46 insertions, 1 deletions
diff --git a/ext/session/session.c b/ext/session/session.c index f5439ea79c..cb6cc01f21 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -866,7 +866,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ if (php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC)) { var_push_dtor(&var_hash, &session_vars); } - + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); if (PS(http_session_vars)) { zval_ptr_dtor(&PS(http_session_vars)); @@ -931,6 +931,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return FAILURE; } diff --git a/ext/session/tests/bug72562.phpt b/ext/session/tests/bug72562.phpt new file mode 100644 index 0000000000..d85e48b069 --- /dev/null +++ b/ext/session/tests/bug72562.phpt @@ -0,0 +1,44 @@ +--TEST-- +Bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization +--SKIPIF-- +<?php include('skipif.inc'); ?> +--FILE-- +<?php + +ini_set('session.serialize_handler', 'php_binary'); +session_start(); +$sess = "\x1xi:1;\x2y"; +session_decode($sess); +$uns_1 = '{'; +$out_1[] = unserialize($uns_1); +unset($out_1); +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} +$uns_2 = 'R:2;'; +$out_2 = unserialize($uns_2); +var_dump($out_2); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/bug72562.php on line %d + +Notice: unserialize(): Error at offset 0 of 1 bytes in %s/bug72562.php on line %d + +Notice: unserialize(): Error at offset 4 of 4 bytes in %s/bug72562.php on line %d +bool(false) |