archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

More fixes for bug #69152

Browse source
This commit is contained in:
Stanislav Malyshev 2015-04-05 17:30:59 -07:00
parent 4435b9142f
commit a894a8155f
2 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Zend/zend_exceptions.c
View file

@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString)
str = &res; str = &res;
trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC);
if(Z_TYPE_P(trace) != IS_ARRAY) {
RETURN_FALSE;
}
zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num);
s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1);

16
ext/standard/tests/serialize/bug69152.phpt Normal file
View file

@ -0,0 +1,16 @@
--TEST--
Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
--FILE--
<?php
$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
echo $x;
$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
$x->test();
?>
--EXPECTF--
exception 'Exception' in %s:%d
Stack trace:
#0 {main}
Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d