|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-07-31 12:45 UTC] zeev@php.net
[2017-08-02 17:23 UTC] cmb@php.net
-Type: Security
+Type: Bug
[2020-06-10 10:58 UTC] nikic@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: nikic
[2020-06-10 10:58 UTC] nikic@php.net
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 17:01:58 2024 UTC |
Description: ------------ Memory Corruption in Extended SplFixedArray ``` SPL_METHOD(SplFixedArray, __wakeup) { spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC); HashPosition ptr; HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC); ... zend_hash_clean(intern_ht); ``` An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption. PoC: ``` class obj extends SplFixedArray { var $prop; function __destruct() { if ($this->prop) { // doing whatever } } } unserialize('O:3:"obj":1:{s:4:"prop";i:1;}'); /* $wddx = <<<EOT <?xml version='1.0'?> <wddxPacket version='1.0'> <header/> <data> <struct> <var name='php_class_name'> <string>obj</string> </var> <var name='prop'> <number>1</number> </var> </struct> </data> </wddxPacket> EOT; wddx_deserialize($wddx); */ ```