File: CVE-2015-6831-70166.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (74 lines) | stat: -rw-r--r-- 2,194 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 1 Aug 2015 21:45:19 -0700
Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in
 unserialize() with SPLArrayObject

---
 ext/spl/spl_array.c         |  3 +++
 ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 ext/spl/tests/bug70166.phpt

Index: php5-5.3.3.1/ext/spl/spl_array.c
===================================================================
--- php5-5.3.3.1.orig/ext/spl/spl_array.c	2015-10-28 14:22:53.000000000 +0100
+++ php5-5.3.3.1/ext/spl/spl_array.c	2015-10-28 14:22:53.000000000 +0100
@@ -1676,6 +1676,7 @@
 		goto outexcept;
 	}
 
+	var_push_dtor(var_hash_p, &pflags);
 	--p; /* for ';' */
 	flags = Z_LVAL_P(pflags);
 	/* flags needs to be verified and we also need to verify whether the next
@@ -1699,6 +1700,7 @@
 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
 			goto outexcept;
 		}
+		var_push_dtor(var_hash_p, &intern->array);
 	}
 	if (*p != ';') {
 		goto outexcept;
@@ -1717,6 +1719,7 @@
 		goto outexcept;
 	}
 
+	var_push_dtor(var_hash_p, &pmembers);
 	/* copy members */
 	zend_hash_copy(intern->std.properties, Z_ARRVAL_P(pmembers), (copy_ctor_func_t) zval_add_ref, (void *) NULL, sizeof(zval *));
 	zval_ptr_dtor(&pmembers);
Index: php5-5.3.3.1/ext/spl/tests/bug70166.phpt
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ php5-5.3.3.1/ext/spl/tests/bug70166.phpt	2015-10-28 14:22:53.000000000 +0100
@@ -0,0 +1,29 @@
+--TEST--
+SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject
+--FILE--
+<?php
+$inner = 'x:i:1;a:0:{};m:a:0:{}';
+$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+    $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+  [0]=>
+  object(ArrayObject)#%d (1) {
+    ["storage":"ArrayObject":private]=>
+    array(0) {
+    }
+  }
+  [1]=>
+  array(0) {
+  }
+}
+===DONE===