From b585a3aed7880a5fa5c18e2b838fc96f40e075bd Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Thu, 1 Jan 2015 16:19:05 -0800 Subject: [PATCH 1/3] Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize()) --- NEWS | 4 ++++ ext/standard/tests/strings/bug68710.phpt | 25 ++++++++++++++++++++++++ ext/standard/var_unserializer.c | 4 ++-- ext/standard/var_unserializer.re | 2 +- 4 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 ext/standard/tests/strings/bug68710.phpt diff --git a/NEWS b/NEWS index fa57ef3161c..f789a9258e3 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 20?? PHP 5.4.37 +- Core: + . Fix bug #68710 (Use after free vulnerability in unserialize(), incomplete + fix for #68594). (Stefan Esser) + - CGI: . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas) diff --git a/ext/standard/tests/strings/bug68710.phpt b/ext/standard/tests/strings/bug68710.phpt new file mode 100644 index 00000000000..729a12011b5 --- /dev/null +++ b/ext/standard/tests/strings/bug68710.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #68710 Use after free vulnerability in unserialize() (bypassing the +CVE-2014-8142 fix) +--FILE-- +aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("aaa", "123", $z); + $z = str_replace("bbb", "123", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index a12d2fa24e3..f114080b86e 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.7.5 on Thu Dec 11 19:26:19 2014 */ +/* Generated by re2c 0.13.7.5 on Thu Jan 1 14:43:18 2015 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -343,7 +343,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 4cf1d108328..f04fc74c312 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, From 2fc178cf448d8e1b95d1314e47eeef610729e0df Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 Jan 2015 00:51:05 -0800 Subject: [PATCH 2/3] Fix bug #68799: Free called on unitialized pointer --- ext/exif/exif.c | 2 +- ext/exif/tests/bug68799.jpg | Bin 0 -> 735 bytes ext/exif/tests/bug68799.phpt | 63 +++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 ext/exif/tests/bug68799.jpg create mode 100644 ext/exif/tests/bug68799.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 637ebf9289b..7f95ff43ea7 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2702,7 +2702,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { xp_field->tag = tag; - + xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( (unsigned char**)&xp_field->value, diff --git a/ext/exif/tests/bug68799.jpg b/ext/exif/tests/bug68799.jpg new file mode 100644 index 0000000000000000000000000000000000000000..acc326dbbf3be6e0721ea1b6b6da6b78225883ba GIT binary patch literal 735 zcmex=Bm<7<_#hv=|r|I2c$Mr5IR&EJh%< zW0Z!o-550(n8D&q3=DJTG5|?1@PpC`KpLb6Ocx|(=9TE>rIsj|=o#o4GyK2J;LO0p z$OuAEz|6`F0&FZS%&hEe?Cc=S!O6|Z!NJAB&d$Zl#l_771niuA{JcDTAU4PlkamzR zAmZU*=K!f74g5dAAjko9C?hkY5(ASUBeNjm|04|YK)16pf&tJAV8F=4%)-hBbP^Xg zP{CFKp!1oTnShREWnlrTt_8|7un4jWDH=Mm2?r*!D;0_uHBMZ}q3pErplHy=4=Tn< zMNOPsV&W2#QmSg|8k$-rre@|AmR8_^_we)z4hanlkBE#)PDxEm&&bRwE-5W5uc)kQ zZfR|6@96BBG|V^&07y2J$~}^+4C1KUw!=a`ODXD-+%o41@ado12e>1KoYCJ1cCly0>%LgJIG&* zOyxk#EXcyDXviky7|5PjD6C}E$RXl1apA^;oXW;QA4HRiE^>*fm^@Vd2=W@(XT*7| hi7cPNJ%;etEe0NDMquPI3o_U<{Qa}2ON06UO#tsw&oBT0 literal 0 HcmV?d00001 diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt new file mode 100644 index 00000000000..b09f21ca7be --- /dev/null +++ b/ext/exif/tests/bug68799.phpt @@ -0,0 +1,63 @@ +--TEST-- +Bug #68799 (Free called on unitialized pointer) +--SKIPIF-- + +--FILE-- +a = $a . $a . $a . $a . $a . $a; + } +}; + +function doStuff ($limit) { + + $a = new A; + + $b = array(); + for ($i = 0; $i < $limit; $i++) { + $b[$i] = clone $a; + } + + unset($a); + + gc_collect_cycles(); +} + +$iterations = 3; + +doStuff($iterations); +doStuff($iterations); + +gc_collect_cycles(); + +print_r(exif_read_data(__DIR__.'/bug68799.jpg')); + +?> +--EXPECTF-- +Array +( + [FileName] => bug68799.jpg + [FileDateTime] => %d + [FileSize] => 735 + [FileType] => 2 + [MimeType] => image/jpeg + [SectionsFound] => ANY_TAG, IFD0, WINXP + [COMPUTED] => Array + ( + [html] => width="1" height="1" + [Height] => 1 + [Width] => 1 + [IsColor] => 1 + [ByteOrderMotorola] => 1 + ) + + [XResolution] => 96/1 + [YResolution] => 96/1 + [ResolutionUnit] => 2 + [Author] => +) From 8825311ce1e9b0c3b627ff32808dd4e0d577c136 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 20 Jan 2015 10:38:33 -0800 Subject: [PATCH 3/3] 5.4.38 next --- NEWS | 4 +++- configure.in | 2 +- main/php_version.h | 7 +++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index e4629f9584d..e1e3fd108af 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 20?? PHP 5.4.37 +?? ??? 20?? PHP 5.4.38 + +22 Jan 2015 PHP 5.4.37 - Core: . Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231) (Stefan Esser) diff --git a/configure.in b/configure.in index 8700b1775a2..4282fa21655 100644 --- a/configure.in +++ b/configure.in @@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 -PHP_RELEASE_VERSION=37 +PHP_RELEASE_VERSION=38 PHP_EXTRA_VERSION="-dev" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index d0aab5a10cd..34e91ea672a 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,8 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 4 -#define PHP_RELEASE_VERSION 37 - +#define PHP_RELEASE_VERSION 38 #define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "5.4.37-dev" -#define PHP_VERSION_ID 50437 +#define PHP_VERSION "5.4.38-dev" +#define PHP_VERSION_ID 50438