Merge branch 'PHP-7.0' into PHP-7.1

2026-04-14 11:32:11 +02:00 · 2017-08-12 13:15:48 +02:00
parent e88ab74886 1a23ebc1ff
commit 4fb7665c09
5 changed files with 567 additions and 538 deletions
--- a/6
+++ b/6
@@ -59,6 +59,12 @@ PHP                                                                        NEWS
    (Andrew Nester)
  . Fixed bug #75015 (Crash in recursive iterator destructors). (Julien)

+- Standard:
+  . Fixed bug #74103 (heap-use-after-free when unserializing invalid array
+    size). (Nikita)
+  . Fixed bug #75054 (A Denial of Service Vulnerability was found when
+    performing deserialization). (Nikita)
+
 - XMLRPC:
  . Fixed bug #74975 (Incorrect xmlrpc serialization for classes with declared
    properties). (blar)
--- a/ext/standard/tests/serialize/bug74103.phpt
+++ b/ext/standard/tests/serialize/bug74103.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #74103: heap-use-after-free when unserializing invalid array size
+--FILE--
+<?php
+var_dump(unserialize('a:7:{i:0;i:04;s:1:"a";i:2;i:00009617006;i:4;s:1:"a";i:4;s:1:"a";R:5;s:1:"7";R:3;s:1:"a";R:5;;s:18;}}'));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 68 of 100 bytes in %s on line %d
+bool(false)
--- a/ext/standard/tests/serialize/bug75054.phpt
+++ b/ext/standard/tests/serialize/bug75054.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #75054: A Denial of Service Vulnerability was found when performing deserialization
+--FILE--
+<?php
+$poc = 'a:9:{i:0;s:4:"0000";i:0;s:4:"0000";i:0;R:2;s:4:"5003";R:2;s:4:"0000";R:2;s:4:"0000";R:2;s:4:"';
+$poc .= "\x06";
+$poc .= '000";R:2;s:4:"0000";d:0;s:4:"0000";a:9:{s:4:"0000";';
+var_dump(unserialize($poc));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 43 of 145 bytes in %s on line %d
+bool(false)
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -454,16 +454,7 @@ string_key:
 			return 0;
 		}

-		if (UNEXPECTED(Z_ISUNDEF_P(data))) {
-			if (Z_TYPE(key) == IS_LONG) {
-				zend_hash_index_del(ht, Z_LVAL(key));
-			} else {
-				zend_hash_del_ind(ht, Z_STR(key));
-			}
-		} else {
-			var_push_dtor(var_hash, data);
-		}
-
+		var_push_dtor(var_hash, data);
 		zval_dtor(&key);

 		if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
@@ -636,11 +627,10 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER)
 		return 0;
 	}

-	zval_ptr_dtor(rval);
 	if (Z_ISUNDEF_P(rval_ref) || (Z_ISREF_P(rval_ref) && Z_ISUNDEF_P(Z_REFVAL_P(rval_ref)))) {
-		ZVAL_UNDEF(rval);
-		return 1;
+		return 0;
 	}
+
 	if (Z_ISREF_P(rval_ref)) {
 		ZVAL_COPY(rval, rval_ref);
 	} else {
@@ -667,8 +657,7 @@ static int php_var_unserialize_internal(UNSERIALIZE_PARAMETER)
 	}

 	if (Z_ISUNDEF_P(rval_ref) || (Z_ISREF_P(rval_ref) && Z_ISUNDEF_P(Z_REFVAL_P(rval_ref)))) {
-		ZVAL_UNDEF(rval);
-		return 1;
+		return 0;
 	}

 	ZVAL_COPY(rval, rval_ref);