mirror of
https://github.com/php/php-src.git
synced 2024-12-04 23:34:25 +08:00
Fix bug #73147: Use After Free in PHP7 unserialize()
This commit is contained in:
parent
e1709b7e58
commit
0e6fe3a4c9
@ -3776,6 +3776,30 @@ ZEND_API void zend_update_property(zend_class_entry *scope, zval *object, const
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
|
||||
{
|
||||
zval *property;
|
||||
zend_class_entry *old_scope = EG(scope);
|
||||
|
||||
EG(scope) = scope;
|
||||
|
||||
if (!Z_OBJ_HT_P(object)->unset_property) {
|
||||
const char *class_name;
|
||||
zend_uint class_name_len;
|
||||
|
||||
zend_get_object_classname(object, &class_name, &class_name_len TSRMLS_CC);
|
||||
|
||||
zend_error(E_CORE_ERROR, "Property %s of class %s cannot be unset", name, class_name);
|
||||
}
|
||||
MAKE_STD_ZVAL(property);
|
||||
ZVAL_STRINGL(property, name, name_length, 1);
|
||||
Z_OBJ_HT_P(object)->unset_property(object, property, 0 TSRMLS_CC);
|
||||
zval_ptr_dtor(&property);
|
||||
|
||||
EG(scope) = old_scope;
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
ZEND_API void zend_update_property_null(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
|
||||
{
|
||||
zval *tmp;
|
||||
|
@ -330,6 +330,7 @@ ZEND_API void zend_update_property_long(zend_class_entry *scope, zval *object, c
|
||||
ZEND_API void zend_update_property_double(zend_class_entry *scope, zval *object, const char *name, int name_length, double value TSRMLS_DC);
|
||||
ZEND_API void zend_update_property_string(zend_class_entry *scope, zval *object, const char *name, int name_length, const char *value TSRMLS_DC);
|
||||
ZEND_API void zend_update_property_stringl(zend_class_entry *scope, zval *object, const char *name, int name_length, const char *value, int value_length TSRMLS_DC);
|
||||
ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC);
|
||||
|
||||
ZEND_API int zend_update_static_property(zend_class_entry *scope, const char *name, int name_length, zval *value TSRMLS_DC);
|
||||
ZEND_API int zend_update_static_property_null(zend_class_entry *scope, const char *name, int name_length TSRMLS_DC);
|
||||
|
@ -137,7 +137,10 @@ ZEND_METHOD(CURLFile, setPostFilename)
|
||||
Unserialization handler */
|
||||
ZEND_METHOD(CURLFile, __wakeup)
|
||||
{
|
||||
zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, "" TSRMLS_CC);
|
||||
zval *_this = getThis();
|
||||
|
||||
zend_unset_property(curl_CURLFile_class, _this, "name", sizeof("name")-1 TSRMLS_CC);
|
||||
zend_update_property_string(curl_CURLFile_class, _this, "name", sizeof("name")-1, "" TSRMLS_CC);
|
||||
zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0 TSRMLS_CC);
|
||||
}
|
||||
/* }}} */
|
||||
|
20
ext/curl/tests/bug73147.phpt
Normal file
20
ext/curl/tests/bug73147.phpt
Normal file
@ -0,0 +1,20 @@
|
||||
--TEST--
|
||||
Bug #73147: Use After Free in PHP7 unserialize()
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded("curl")) {
|
||||
exit("skip curl extension not loaded");
|
||||
}
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
|
||||
try {
|
||||
var_dump(unserialize($poc));
|
||||
} catch(Exception $e) {
|
||||
echo $e->getMessage();
|
||||
}
|
||||
?>
|
||||
--EXPECT--
|
||||
Unserialization of CURLFile instances is not allowed
|
Loading…
Reference in New Issue
Block a user