Fixed bug #68976 - Use After Free Vulnerability in unserialize()

NEWS

@@ -3,9 +3,10 @@ PHP                                                                        NEWS
 ?? ??? 2015 PHP 5.4.39
 
 - Core:
-  . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas)
+  . Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas)
   . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
     configuration options). (Anatol Belski)
+  . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas)
 
 - SOAP:
   . Fixed bug #69085 (SoapClient's __call() type confusion through

ext/standard/var_unserializer.c

@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.7.5 on Thu Jan  1 14:43:18 2015 */
+/* Generated by re2c 0.13.7.5 on Tue Mar 17 13:14:30 2015 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -349,6 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
+		var_push_dtor(var_hash, &data);
 		
 		zval_dtor(key);
 		FREE_ZVAL(key);
@@ -483,7 +484,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	
 
-#line 487 "ext/standard/var_unserializer.c"
+#line 488 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -543,9 +544,9 @@ yy2:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 838 "ext/standard/var_unserializer.re"
+#line 839 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 549 "ext/standard/var_unserializer.c"
+#line 550 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -588,13 +589,13 @@ yy13:
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 832 "ext/standard/var_unserializer.re"
+#line 833 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 598 "ext/standard/var_unserializer.c"
+#line 599 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -625,7 +626,7 @@ yy20:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 686 "ext/standard/var_unserializer.re"
+#line 687 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -771,7 +772,7 @@ yy20:
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 775 "ext/standard/var_unserializer.c"
+#line 776 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -796,7 +797,7 @@ yy27:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 678 "ext/standard/var_unserializer.re"
+#line 679 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
@@ -804,7 +805,7 @@ yy27:
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 808 "ext/standard/var_unserializer.c"
+#line 809 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -825,7 +826,7 @@ yy34:
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 658 "ext/standard/var_unserializer.re"
+#line 659 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -845,7 +846,7 @@ yy34:
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 849 "ext/standard/var_unserializer.c"
+#line 850 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -866,7 +867,7 @@ yy41:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 629 "ext/standard/var_unserializer.re"
+#line 630 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -895,7 +896,7 @@ yy41:
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 899 "ext/standard/var_unserializer.c"
+#line 900 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -916,7 +917,7 @@ yy48:
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 601 "ext/standard/var_unserializer.re"
+#line 602 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -944,7 +945,7 @@ yy48:
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 948 "ext/standard/var_unserializer.c"
+#line 949 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -1032,7 +1033,7 @@ yy61:
 	}
 yy63:
 	++YYCURSOR;
-#line 591 "ext/standard/var_unserializer.re"
+#line 592 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -1042,7 +1043,7 @@ use_double:
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1046 "ext/standard/var_unserializer.c"
+#line 1047 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1101,7 +1102,7 @@ yy73:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 576 "ext/standard/var_unserializer.re"
+#line 577 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1116,7 +1117,7 @@ yy73:
 
 	return 1;
 }
-#line 1120 "ext/standard/var_unserializer.c"
+#line 1121 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1143,7 +1144,7 @@ yy79:
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 549 "ext/standard/var_unserializer.re"
+#line 550 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1170,7 +1171,7 @@ yy79:
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1174 "ext/standard/var_unserializer.c"
+#line 1175 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
@@ -1178,24 +1179,24 @@ yy83:
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 542 "ext/standard/var_unserializer.re"
+#line 543 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1189 "ext/standard/var_unserializer.c"
+#line 1190 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 535 "ext/standard/var_unserializer.re"
+#line 536 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1199 "ext/standard/var_unserializer.c"
+#line 1200 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1218,7 +1219,7 @@ yy91:
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 512 "ext/standard/var_unserializer.re"
+#line 513 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1241,7 +1242,7 @@ yy91:
 	
 	return 1;
 }
-#line 1245 "ext/standard/var_unserializer.c"
+#line 1246 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1264,7 +1265,7 @@ yy97:
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 491 "ext/standard/var_unserializer.re"
+#line 492 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1285,9 +1286,9 @@ yy97:
 	
 	return 1;
 }
-#line 1289 "ext/standard/var_unserializer.c"
+#line 1290 "ext/standard/var_unserializer.c"
 }
-#line 840 "ext/standard/var_unserializer.re"
+#line 841 "ext/standard/var_unserializer.re"
 
 
 	return 0;

ext/standard/var_unserializer.re

@@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
+		var_push_dtor(var_hash, &data);
 		
 		zval_dtor(key);
 		FREE_ZVAL(key);