Merge branch 'PHP-5.5' into PHP-5.6

smalyshev · smalyshev · commit 681a1afd3f76 · 2014-12-16T10:19:32.000-08:00
* PHP-5.5:
  update news
  add CVE
  add missing test file
  Fix bug #68594 - Use after free vulnerability in unserialize()

Conflicts:
	ext/standard/var_unserializer.c
diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #68545 Use after free vulnerability in unserialize()
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+	$m = new StdClass();
+
+	$u = array(1);
+
+	$m->aaa = array(1,2,&$u,4,5);
+	$m->bbb = 1;
+	$m->ccc = &$u;
+	$m->ddd = str_repeat("A", $i);
+
+	$z = serialize($m);
+	$z = str_replace("bbb", "aaa", $z);
+	$y = unserialize($z);
+	$z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
@@ -1,4 +1,4 @@
-/* Generated by re2c 0.13.5 */
+/* Generated by re2c 0.13.7.5 */
 #line 1 "ext/standard/var_unserializer.re"
 /*
   +----------------------------------------------------------------------+
@@ -342,6 +342,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
@@ -475,7 +478,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	
 
-#line 479 "ext/standard/var_unserializer.c"
+#line 482 "ext/standard/var_unserializer.c"
 {
 	YYCTYPE yych;
 	static const unsigned char yybm[] = {
@@ -535,9 +538,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy95;
 yy3:
-#line 830 "ext/standard/var_unserializer.re"
+#line 833 "ext/standard/var_unserializer.re"
 	{ return 0; }
-#line 541 "ext/standard/var_unserializer.c"
+#line 544 "ext/standard/var_unserializer.c"
 yy4:
 	yych = *(YYMARKER = ++YYCURSOR);
 	if (yych == ':') goto yy89;
@@ -580,13 +583,13 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	goto yy3;
 yy14:
 	++YYCURSOR;
-#line 824 "ext/standard/var_unserializer.re"
+#line 827 "ext/standard/var_unserializer.re"
 	{
 	/* this is the case where we have less data than planned */
 	php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
 	return 0; /* not sure if it should be 0 or 1 here? */
 }
-#line 590 "ext/standard/var_unserializer.c"
+#line 593 "ext/standard/var_unserializer.c"
 yy16:
 	yych = *++YYCURSOR;
 	goto yy3;
@@ -612,11 +615,12 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yybm[0+yych] & 128) {
 		goto yy20;
 	}
-	if (yych != ':') goto yy18;
+	if (yych <= '/') goto yy18;
+	if (yych >= ';') goto yy18;
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 678 "ext/standard/var_unserializer.re"
+#line 681 "ext/standard/var_unserializer.re"
 	{
 	size_t len, len2, len3, maxlen;
 	long elements;
@@ -762,7 +766,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
-#line 766 "ext/standard/var_unserializer.c"
+#line 770 "ext/standard/var_unserializer.c"
 yy25:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -787,15 +791,15 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 670 "ext/standard/var_unserializer.re"
+#line 673 "ext/standard/var_unserializer.re"
 	{
 
 	INIT_PZVAL(*rval);
 	
 	return object_common2(UNSERIALIZE_PASSTHRU,
 			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
 }
-#line 799 "ext/standard/var_unserializer.c"
+#line 803 "ext/standard/var_unserializer.c"
 yy32:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy33;
@@ -816,7 +820,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '{') goto yy18;
 	++YYCURSOR;
-#line 650 "ext/standard/var_unserializer.re"
+#line 653 "ext/standard/var_unserializer.re"
 	{
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
@@ -836,7 +840,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return finish_nested_data(UNSERIALIZE_PASSTHRU);
 }
-#line 840 "ext/standard/var_unserializer.c"
+#line 844 "ext/standard/var_unserializer.c"
 yy39:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy40;
@@ -857,7 +861,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 621 "ext/standard/var_unserializer.re"
+#line 624 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -886,7 +890,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_STRINGL(*rval, str, len, 0);
 	return 1;
 }
-#line 890 "ext/standard/var_unserializer.c"
+#line 894 "ext/standard/var_unserializer.c"
 yy46:
 	yych = *++YYCURSOR;
 	if (yych == '+') goto yy47;
@@ -907,7 +911,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != '"') goto yy18;
 	++YYCURSOR;
-#line 593 "ext/standard/var_unserializer.re"
+#line 596 "ext/standard/var_unserializer.re"
 	{
 	size_t len, maxlen;
 	char *str;
@@ -935,7 +939,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_STRINGL(*rval, str, len, 1);
 	return 1;
 }
-#line 939 "ext/standard/var_unserializer.c"
+#line 943 "ext/standard/var_unserializer.c"
 yy53:
 	yych = *++YYCURSOR;
 	if (yych <= '/') {
@@ -1023,7 +1027,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	}
 yy63:
 	++YYCURSOR;
-#line 583 "ext/standard/var_unserializer.re"
+#line 586 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 use_double:
@@ -1033,7 +1037,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
 	return 1;
 }
-#line 1037 "ext/standard/var_unserializer.c"
+#line 1041 "ext/standard/var_unserializer.c"
 yy65:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1092,7 +1096,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 568 "ext/standard/var_unserializer.re"
+#line 571 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
@@ -1107,7 +1111,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 
 	return 1;
 }
-#line 1111 "ext/standard/var_unserializer.c"
+#line 1115 "ext/standard/var_unserializer.c"
 yy76:
 	yych = *++YYCURSOR;
 	if (yych == 'N') goto yy73;
@@ -1134,7 +1138,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy79;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 541 "ext/standard/var_unserializer.re"
+#line 544 "ext/standard/var_unserializer.re"
 	{
 #if SIZEOF_LONG == 4
 	int digits = YYCURSOR - start - 3;
@@ -1161,32 +1165,32 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	ZVAL_LONG(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1165 "ext/standard/var_unserializer.c"
+#line 1169 "ext/standard/var_unserializer.c"
 yy83:
 	yych = *++YYCURSOR;
 	if (yych <= '/') goto yy18;
 	if (yych >= '2') goto yy18;
 	yych = *++YYCURSOR;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 534 "ext/standard/var_unserializer.re"
+#line 537 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_BOOL(*rval, parse_iv(start + 2));
 	return 1;
 }
-#line 1180 "ext/standard/var_unserializer.c"
+#line 1184 "ext/standard/var_unserializer.c"
 yy87:
 	++YYCURSOR;
-#line 527 "ext/standard/var_unserializer.re"
+#line 530 "ext/standard/var_unserializer.re"
 	{
 	*p = YYCURSOR;
 	INIT_PZVAL(*rval);
 	ZVAL_NULL(*rval);
 	return 1;
 }
-#line 1190 "ext/standard/var_unserializer.c"
+#line 1194 "ext/standard/var_unserializer.c"
 yy89:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1209,7 +1213,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy91;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 504 "ext/standard/var_unserializer.re"
+#line 507 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1232,7 +1236,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	return 1;
 }
-#line 1236 "ext/standard/var_unserializer.c"
+#line 1240 "ext/standard/var_unserializer.c"
 yy95:
 	yych = *++YYCURSOR;
 	if (yych <= ',') {
@@ -1255,7 +1259,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	if (yych <= '9') goto yy97;
 	if (yych != ';') goto yy18;
 	++YYCURSOR;
-#line 483 "ext/standard/var_unserializer.re"
+#line 486 "ext/standard/var_unserializer.re"
 	{
 	long id;
 
@@ -1276,9 +1280,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
 	
 	return 1;
 }
-#line 1280 "ext/standard/var_unserializer.c"
+#line 1284 "ext/standard/var_unserializer.c"
 }
-#line 832 "ext/standard/var_unserializer.re"
+#line 835 "ext/standard/var_unserializer.re"
 
 
 	return 0;
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -346,6 +346,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
