My Alpine packages repository.
https://dryabzhinsky.noip.me/packages/en/alpinelinux-support/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
72 lines
2.2 KiB
72 lines
2.2 KiB
From 3798eb6fd5dddb211b01d41495072fd9858d4e32 Mon Sep 17 00:00:00 2001 |
|
From: Stanislav Malyshev <stas@php.net> |
|
Date: Tue, 12 Jul 2016 23:27:45 -0700 |
|
Subject: [PATCH] Fix bug #72562 - destroy var_hash properly |
|
|
|
--- |
|
ext/session/session.c | 3 ++- |
|
ext/session/tests/bug72562.phpt | 44 +++++++++++++++++++++++++++++++++++++++++ |
|
2 files changed, 46 insertions(+), 1 deletion(-) |
|
create mode 100644 ext/session/tests/bug72562.phpt |
|
|
|
Index: php5-5.4.45/ext/session/session.c |
|
=================================================================== |
|
--- php5-5.4.45.orig/ext/session/session.c 2016-08-25 15:07:55.000000000 +0200 |
|
+++ php5-5.4.45/ext/session/session.c 2016-08-25 15:07:55.000000000 +0200 |
|
@@ -837,6 +837,7 @@ |
|
namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); |
|
|
|
if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { |
|
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); |
|
return FAILURE; |
|
} |
|
|
|
Index: php5-5.4.45/ext/session/tests/bug72562.phpt |
|
=================================================================== |
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000 |
|
+++ php5-5.4.45/ext/session/tests/bug72562.phpt 2016-08-25 15:07:55.000000000 +0200 |
|
@@ -0,0 +1,44 @@ |
|
+--TEST-- |
|
+Bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization |
|
+--SKIPIF-- |
|
+<?php include('skipif.inc'); ?> |
|
+--FILE-- |
|
+<?php |
|
+ |
|
+ini_set('session.serialize_handler', 'php_binary'); |
|
+session_start(); |
|
+$sess = "\x1xi:1;\x2y"; |
|
+session_decode($sess); |
|
+$uns_1 = '{'; |
|
+$out_1[] = unserialize($uns_1); |
|
+unset($out_1); |
|
+$fakezval = ptr2str(1122334455); |
|
+$fakezval .= ptr2str(0); |
|
+$fakezval .= "\x00\x00\x00\x00"; |
|
+$fakezval .= "\x01"; |
|
+$fakezval .= "\x00"; |
|
+$fakezval .= "\x00\x00"; |
|
+for ($i = 0; $i < 5; $i++) { |
|
+ $v[$i] = $fakezval.$i; |
|
+} |
|
+$uns_2 = 'R:2;'; |
|
+$out_2 = unserialize($uns_2); |
|
+var_dump($out_2); |
|
+ |
|
+function ptr2str($ptr) |
|
+{ |
|
+ $out = ''; |
|
+ for ($i = 0; $i < 8; $i++) { |
|
+ $out .= chr($ptr & 0xff); |
|
+ $ptr >>= 8; |
|
+ } |
|
+ return $out; |
|
+} |
|
+?> |
|
+--EXPECTF-- |
|
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/bug72562.php on line %d |
|
+ |
|
+Notice: unserialize(): Error at offset 0 of 1 bytes in %s/bug72562.php on line %d |
|
+ |
|
+Notice: unserialize(): Error at offset 4 of 4 bytes in %s/bug72562.php on line %d |
|
+bool(false)
|
|
|