archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Leak in failed unserialize() with opcache

Browse source 
With opcache, zend_string_init_interned() will allocate non-interned strings at
runtime because shm is locked. Hence, we need to make sure to actually free this
string.

Fixes OSS-Fuzz #433303828
Closes GH-19211
This commit is contained in:
Ilija Tovilo 2025-07-22 12:38:06 +02:00
parent 13c781f04d
commit 5d1636e40b
No known key found for this signature in database
GPG key ID: 5050C66BFCD1015A
3 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -29,6 +29,10 @@ PHP NEWS
- Sockets: - Sockets:
. Fix some potential crashes on incorrect argument value. (nielsdos) . Fix some potential crashes on incorrect argument value. (nielsdos)
- Standard:
. Fixed OSS Fuzz #417078295 (Leak in failed unserialize() with opcache).
(ilutov)
31 Jul 2025, PHP 8.3.24 31 Jul 2025, PHP 8.3.24
- Calendar: - Calendar:

13
ext/standard/tests/serialize/oss_fuzz_433303828.phpt Normal file
View file

@ -0,0 +1,13 @@
--TEST--
OSS-Fuzz #433303828
--FILE--
<?php
unserialize('O:2:"yy": ');
unserialize('O:2:"yy":: ');
?>
--EXPECTF--
Warning: unserialize(): Error at offset 9 of 10 bytes in %s on line %d
Warning: unserialize(): Error at offset 10 of 11 bytes in %s on line %d

2
ext/standard/var_unserializer.re
View file

@ -1310,10 +1310,12 @@ object ":" uiv ":" ["] {
YYCURSOR = *p; YYCURSOR = *p;
if (*(YYCURSOR) != ':') { if (*(YYCURSOR) != ':') {
zend_string_release_ex(class_name, 0);
return 0; return 0;
} }
if (*(YYCURSOR+1) != '{') { if (*(YYCURSOR+1) != '{') {
*p = YYCURSOR+1; *p = YYCURSOR+1;
zend_string_release_ex(class_name, 0);
return 0; return 0;
} }