home-work
/
alpine-pkg
1
1
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1105 Commits
5 Branches
0 Tags
5.6 MiB
 
 
Tree: 81dc16e1f5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '81dc16e1f5'
${ noResults }
alpine-pkg/php/php5.4/d07-u002-CVE-2016-3141.patch

119 lines
3.1 KiB
Raw Blame History

From d98e350dcdf1d451163c4cdac27aaefdcad63655 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 14 Feb 2016 22:34:39 -0800
Subject: [PATCH] CVE-2016-3141
Fixed bug #71587 - Use-After-Free / Double-Free in WDDX Deserialize
Bug: https://bugs.php.net/bug.php?id=71587
Origin: backport, https://git.php.net/?p=php-src.git;a=commitdiff;h=b1bd4119bcafab6f9a8f84d92cd65eec3afeface
---
ext/wddx/tests/bug71587.phpt | 43 +++++++++++++++++++++++++++++++++++++++++++
ext/wddx/wddx.c | 16 +++++++++++++---
2 files changed, 58 insertions(+), 4 deletions(-)
create mode 100644 ext/wddx/tests/bug71587.phpt
diff --git a/ext/wddx/tests/bug71587.phpt b/ext/wddx/tests/bug71587.phpt
new file mode 100644
index 0000000..3fdfc35
--- /dev/null
+++ b/ext/wddx/tests/bug71587.phpt
@@ -0,0 +1,43 @@
+--TEST--
+Bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+ <array>
+ <var name='ML'></var>
+ <string>manhluat</string>
+ <var name='ML2'></var>
+ <boolean value='a'/>
+ <boolean value='true'/>
+ </array>
+</wddxPacket>
+EOF;
+
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+// Print mem leak
+foreach($wddx as $k=>$v)
+ printf("Key: %s\nValue: %s\n",bin2hex($k),bin2hex($v));
+
+?>
+DONE
+--EXPECTF--
+array(2) {
+ [0]=>
+ string(8) "manhluat"
+ [1]=>
+ bool(true)
+}
+Key: 30
+Value: 6d616e686c756174
+Key: 31
+Value: 31
+DONE
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index ff9f64b5..e515be57 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -938,6 +938,16 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
!strcmp(name, EL_DATETIME)) {
wddx_stack_top(stack, (void**)&ent1);
+ if (!ent1->data) {
+ if (stack->top > 1) {
+ stack->top--;
+ } else {
+ stack->done = 1;
+ }
+ efree(ent1);
+ return;
+ }
+
if (!strcmp(name, EL_BINARY)) {
int new_len=0;
unsigned char *new_str;
@@ -1037,6 +1047,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
}
} else if (!strcmp(name, EL_VAR) && stack->varname) {
efree(stack->varname);
+ stack->varname = NULL;
} else if (!strcmp(name, EL_FIELD)) {
st_entry *ent;
wddx_stack_top(stack, (void **)&ent);
@@ -1056,7 +1067,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
if (!wddx_stack_is_empty(stack) && !stack->done) {
wddx_stack_top(stack, (void**)&ent);
- switch (Z_TYPE_P(ent)) {
+ switch (ent->type) {
case ST_STRING:
if (Z_STRLEN_P(ent->data) == 0) {
STR_FREE(Z_STRVAL_P(ent->data));
@@ -1098,13 +1109,12 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
} else if (!strcmp(s, "false")) {
Z_LVAL_P(ent->data) = 0;
} else {
- stack->top--;
zval_ptr_dtor(&ent->data);
if (ent->varname) {
efree(ent->varname);
ent->varname = NULL;
}
- efree(ent);
+ ent->data = NULL;
}
break;
--
2.11.0