php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77177 Serializing or unserializing COM objects crashes
Submitted: 2018-11-19 16:38 UTC Modified: 2018-11-20 23:33 UTC
From: php at zsxsoft dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: PHP 7.1.24 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at zsxsoft dot com
New email:
PHP Version: OS:

 

 [2018-11-19 16:38 UTC] php at zsxsoft dot com 
Description:
------------
When try to `serialize` a class, `serialize` will try to get all properties of the class by `zend_get_properties_for`. Then it will get the count of the properties by `zend_array_count` without checking nullptr. 

`com` and `com_safearray_proxy` will always returns NULL in `com_properties_get` so it will crash on `zend_array_count`.

Affect code
------------------------
ext/standard/var.c

static void php_var_serialize_intern(smart_str *buf, zval *struc, php_serialize_data_t var_hash) /* {{{ */
[...]
incomplete_class = php_var_serialize_class_name(buf, struc);
myht = zend_get_properties_for(struc, ZEND_PROP_PURPOSE_SERIALIZE);
> i = zend_array_count(myht); // Crash here because myht == NULL
if (i > 0 && incomplete_class) {
  --i;
}


ext/com_dotnet/com_handlers.c

static HashTable *com_properties_get(zval *object)
{
	/* TODO: use type-info to get all the names and values ?
	 * DANGER: if we do that, there is a strong possibility for
	 * infinite recursion when the hash is displayed via var_dump().
	 * Perhaps it is best to leave it un-implemented.
	 */
	return NULL;
}



Test script:
---------------
<?php
$a = new COM("WScript.Shell");
serialize($a);

Expected result:
----------------
Nothing happened

Actual result:
--------------
Crash

Patches

paxsk (last revision 2022-02-17 07:25 UTC by jaky0306 at qq dot com)
patch (last revision 2020-11-27 02:32 UTC by 920768504 at qq dot com)
newtest0292 (last revision 2020-01-18 16:30 UTC by dadaguo at 126 dot com)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-19 18:33 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: Next Major Version +PHP Version: PHP 7.1.24
 [2018-11-19 18:33 UTC] cmb@php.net 
This also happens with older PHP versions.

Is an get_properties handler supposed to ever return NULL?
 [2018-11-20 00:37 UTC] php at zsxsoft dot com 
Also, unserialize a `com` will cause a crash too.

I reviewed the git blame and found this bug can effect from PHP 5.0RC1RC1 to branch master: https://github.com/php/php-src/blob/6df5d5ba202b531de6bb563e2462e046d701e8d6/ext/com_dotnet/com_handlers.c#L264.

Effected code
---------
ext/standard/var_unserializer.c
static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements)

ht = Z_OBJPROP_P(rval);
if (elements >= (zend_long)(HT_MAX_SIZE - zend_hash_num_elements(ht))) {
  return 0;
}


Code
---------
<?php
 $c = unserialize('O:3:"com":0:{}');
 [2018-11-20 00:40 UTC] php at zsxsoft dot com
-Summary: serializing a com() will cause a crash +Summary: serializing or unserializing a com() will cause a crash
 [2018-11-20 00:40 UTC] php at zsxsoft dot com 
Unserialize a `com` will cause a crash too.
 [2018-11-20 00:53 UTC] php at zsxsoft dot com 
After fuzzing, I found `unserialize` those classes can crash php: 
- variant
- com
- dotnet


unserialize('O:7:"variant":0:{}');
unserialize('O:3:"com":0:{}');
unserialize('O:6:"dotnet":0:{}');
 [2018-11-20 23:33 UTC] cmb@php.net
-Summary: serializing or unserializing a com() will cause a crash +Summary: Serializing or unserializing COM objects crashes
 [2018-11-23 15:37 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=115ee49b0be12e3df7d2c7027609fbe1a1297e42
Log: Fix #77177: Serializing or unserializing COM objects crashes
 [2018-11-23 15:37 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-01-18 16:30 UTC] dadaguo at 126 dot com 
The following patch has been added/updated:

Patch Name: newtest0292
Revision:   1579365045
URL:        https://bugs.php.net/patch-display.php?bug=77177&patch=newtest0292&revision=1579365045
 [2020-11-27 02:32 UTC] 920768504 at qq dot com 
The following patch has been added/updated:

Patch Name: patch
Revision:   1606444378
URL:        https://bugs.php.net/patch-display.php?bug=77177&patch=patch&revision=1606444378
 [2022-02-17 07:25 UTC] jaky0306 at qq dot com 
The following patch has been added/updated:

Patch Name: paxsk
Revision:   1645082739
URL:        https://bugs.php.net/patch-display.php?bug=77177&patch=paxsk&revision=1645082739
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC