Backport CVE-2014-8142 / bug #68594 to 5.3.29

Author: AJ Christensen

NEWS

@@ -1,7 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-14 Aug 2014, PHP 5.3.29
+7 Jan 2015, PHP 5.3.29 (Security Release)
+- Core:
+  . Fixed bug #68594 (Use after free vulnerability in unserialize()). (fujin)
 
+14 Aug 2014, PHP 5.3.29
 - Core:
   . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
   . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)

ext/standard/tests/serialize/bug68594.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Bug #68545 Use after free vulnerability in unserialize()
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+	$m = new StdClass();
+
+	$u = array(1);
+
+	$m->aaa = array(1,2,&$u,4,5);
+	$m->bbb = 1;
+	$m->ccc = &$u;
+	$m->ddd = str_repeat("A", $i);
+
+	$z = serialize($m);
+	$z = str_replace("bbb", "aaa", $z);
+	$y = unserialize($z);
+	$z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===

ext/standard/var_unserializer.c

@@ -1,5 +1,4 @@
 /* Generated by re2c 0.13.5 on Wed Sep 28 15:40:15 2011 */
-#line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
   | PHP Version 5                                                        |
@@ -190,7 +189,6 @@ static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen
 #define YYMARKER marker
 
 
-#line 198 "ext/standard/var_unserializer.re"
 
 
 
@@ -403,7 +401,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 
 
-#line 407 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -463,9 +460,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 729 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 469 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -508,13 +503,11 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 723 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 518 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -544,7 +537,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 606 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -661,7 +653,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 665 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -686,15 +677,13 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 598 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
 
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 698 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -715,7 +704,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 578 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -735,7 +723,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 739 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -756,7 +743,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 549 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -785,7 +771,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 789 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -806,7 +791,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 521 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -834,7 +818,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 838 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -922,7 +905,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	}
 yy63:
 	++YYCURSOR;
-#line 511 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -932,7 +914,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 936 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -991,7 +972,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 496 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1006,7 +986,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return 1;
 }
-#line 1010 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1033,7 +1012,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 469 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1060,32 +1038,27 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1064 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
 	if (yych >= '2') goto yy18;
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 462 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1079 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 455 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1089 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1108,7 +1081,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 432 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1131,7 +1103,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return 1;
 }
-#line 1135 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1154,7 +1125,6 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 411 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1175,9 +1145,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return 1;
 }
-#line 1179 "ext/standard/var_unserializer.c"
 }
-#line 731 "ext/standard/var_unserializer.re"
 
 
 	return 0;

ext/standard/var_unserializer.re

@@ -304,6 +304,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}