Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)

2024-11-28 04:14:26 +08:00 · 2015-12-28 14:46:35 -08:00 · 2015-12-28 14:46:35 -08:00 · dcf3c9761c
commit dcf3c9761c
parent 1785d2b805
3 changed files with 72 additions and 1 deletions
--- a/2
+++ b/2
@ -12,6 +12,8 @@ PHP                                                                        NEWS
    Out of Bounds). (emmanuel dot law at gmail dot com).

 - WDDX:
+  . Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
+    (taoguangchen at icloud dot com)
  . Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion
    Vulnerability). (taoguangchen at icloud dot com)

--- a/ext/wddx/tests/bug70661.phpt
+++ b/ext/wddx/tests/bug70661.phpt
@ -0,0 +1,69 @@
+--TEST--
+Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$x = <<<EOT
+<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+		<struct>
+			<recordset rowCount='1' fieldNames='ryat'>
+				<field name='ryat'>
+					<var name='php_class_name'>
+						<string>stdClass</string>
+					</var>
+					<null/>
+				</field>
+			</recordset>
+		</struct>	
+	</data>
+</wddxPacket>
+EOT;
+
+$y = wddx_deserialize($x);
+
+for ($i = 0; $i < 5; $i++) {
+	$v[$i] = $fakezval.$i;
+}
+
+var_dump($y);
+
+function ptr2str($ptr)
+{
+	$out = '';
+	
+	for ($i = 0; $i < 8; $i++) {
+		$out .= chr($ptr & 0xff);
+		$ptr >>= 8;
+	}
+	
+	return $out;
+}
+?>
+DONE
+--EXPECTF--
+array(1) {
+  [0]=>
+  array(1) {
+    ["ryat"]=>
+    array(2) {
+      ["php_class_name"]=>
+      string(8) "stdClass"
+      [0]=>
+      NULL
+    }
+  }
+}
+DONE
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@ -978,7 +978,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)

 				if (ent1->varname) {
 					if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
-						Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
+						Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
 						zend_bool incomplete_class = 0;

 						zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));