mirror of
https://github.com/php/php-src.git
synced 2026-04-17 04:51:03 +02:00
1a23ebc1ff
Directly fail unserialization when trying to acquire an r/R reference to an UNDEF HT slot. Previously this left an UNDEF and later deleted the index/key from the HT. What actually caused the issue here is a combination of two factors: First, the key deletion was performed using the hash API, rather than the symtable API, such that the element was not actually removed if it used an integral string key. Second, a subsequent deletion operation, while collecting trailing UNDEF ranges, would mark the element as available for reuse (leaving a corrupted HT state with nNumOfElemnts > nNumUsed). Fix this by failing early and dropping the deletion code.
13 lines
423 B
PHP
13 lines
423 B
PHP
--TEST--
|
|
Bug #75054: A Denial of Service Vulnerability was found when performing deserialization
|
|
--FILE--
|
|
<?php
|
|
$poc = 'a:9:{i:0;s:4:"0000";i:0;s:4:"0000";i:0;R:2;s:4:"5003";R:2;s:4:"0000";R:2;s:4:"0000";R:2;s:4:"';
|
|
$poc .= "\x06";
|
|
$poc .= '000";R:2;s:4:"0000";d:0;s:4:"0000";a:9:{s:4:"0000";';
|
|
var_dump(unserialize($poc));
|
|
?>
|
|
--EXPECTF--
|
|
Notice: unserialize(): Error at offset 43 of 145 bytes in %s on line %d
|
|
bool(false)
|