Browse Source

Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4:
  5.4.38 next
  Fix bug #68799: Free called on unitialized pointer
  Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())

Conflicts:
	configure.in
	main/php_version.h
pull/1038/head
Stanislav Malyshev 12 years ago
parent
commit
e2744c51b6
  1. 2
      ext/exif/exif.c
  2. BIN
      ext/exif/tests/bug68799.jpg
  3. 63
      ext/exif/tests/bug68799.phpt
  4. 25
      ext/standard/tests/strings/bug68710.phpt
  5. 4
      ext/standard/var_unserializer.c
  6. 2
      ext/standard/var_unserializer.re

2
ext/exif/exif.c

@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
{
xp_field->tag = tag;
xp_field->value = NULL;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)&xp_field->value,

BIN
ext/exif/tests/bug68799.jpg

After

Width: 1  |  Height: 1  |  Size: 735 B

63
ext/exif/tests/bug68799.phpt

@ -0,0 +1,63 @@
--TEST--
Bug #68799 (Free called on unitialized pointer)
--SKIPIF--
<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
--FILE--
<?php
/*
* Pollute the heap. Helps trigger bug. Sometimes not needed.
*/
class A {
function __construct() {
$a = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa';
$this->a = $a . $a . $a . $a . $a . $a;
}
};
function doStuff ($limit) {
$a = new A;
$b = array();
for ($i = 0; $i < $limit; $i++) {
$b[$i] = clone $a;
}
unset($a);
gc_collect_cycles();
}
$iterations = 3;
doStuff($iterations);
doStuff($iterations);
gc_collect_cycles();
print_r(exif_read_data(__DIR__.'/bug68799.jpg'));
?>
--EXPECTF--
Array
(
[FileName] => bug68799.jpg
[FileDateTime] => %d
[FileSize] => 735
[FileType] => 2
[MimeType] => image/jpeg
[SectionsFound] => ANY_TAG, IFD0, WINXP
[COMPUTED] => Array
(
[html] => width="1" height="1"
[Height] => 1
[Width] => 1
[IsColor] => 1
[ByteOrderMotorola] => 1
)
[XResolution] => 96/1
[YResolution] => 96/1
[ResolutionUnit] => 2
[Author] =>
)

25
ext/standard/tests/strings/bug68710.phpt

@ -0,0 +1,25 @@
--TEST--
Bug #68710 Use after free vulnerability in unserialize() (bypassing the
CVE-2014-8142 fix)
--FILE--
<?php
for ($i=4; $i<100; $i++) {
$m = new StdClass();
$u = array(1);
$m->aaa = array(1,2,&$u,4,5);
$m->bbb = 1;
$m->ccc = &$u;
$m->ddd = str_repeat("A", $i);
$z = serialize($m);
$z = str_replace("aaa", "123", $z);
$z = str_replace("bbb", "123", $z);
$y = unserialize($z);
$z = serialize($y);
}
?>
===DONE===
--EXPECTF--
===DONE===

4
ext/standard/var_unserializer.c

@ -1,4 +1,4 @@
/* Generated by re2c 0.13.7.5 on Thu Dec 11 19:26:19 2014 */
/* Generated by re2c 0.13.7.5 on Thu Jan 1 14:43:18 2015 */
#line 1 "ext/standard/var_unserializer.re"
/*
+----------------------------------------------------------------------+
@ -343,7 +343,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
var_push_dtor(var_hash, old_data);
}
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,

2
ext/standard/var_unserializer.re

@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
var_push_dtor(var_hash, old_data);
}
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,

Loading…
Cancel
Save