php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73831 NULL Pointer Dereference while unserialize php object
Submitted: 2016-12-29 14:55 UTC Modified: 2017-02-09 10:45 UTC
From: nguyenvuhoang199321 at gmail dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 7.0.14 OS: ALL
Private report: No CVE-ID: 2016-10162
 [2016-12-29 14:55 UTC] nguyenvuhoang199321 at gmail dot com
Description:
------------
Because no checking result of object_init_ex so that if user passing implement class, abstract class the result of this is FALSE and args is NULL, so that lead program crash
```	if (UNEXPECTED(class_type->ce_flags & (ZEND_ACC_INTERFACE|ZEND_ACC_TRAIT|ZEND_ACC_IMPLICIT_ABSTRACT_CLASS|ZEND_ACC_EXPLICIT_ABSTRACT_CLASS))) {
		if (class_type->ce_flags & ZEND_ACC_INTERFACE) {
			zend_throw_error(NULL, "Cannot instantiate interface %s", ZSTR_VAL(class_type->name));
		} else if (class_type->ce_flags & ZEND_ACC_TRAIT) {
			zend_throw_error(NULL, "Cannot instantiate trait %s", ZSTR_VAL(class_type->name));
		} else {
			zend_throw_error(NULL, "Cannot instantiate abstract class %s", ZSTR_VAL(class_type->name));
		}
		ZVAL_NULL(arg);
		Z_OBJ_P(arg) = NULL;
		return FAILURE;
	}

	if (UNEXPECTED(!(class_type->ce_flags & ZEND_ACC_CONSTANTS_UPDATED))) {
		if (UNEXPECTED(zend_update_class_constants(class_type) != SUCCESS)) {
			ZVAL_NULL(arg);
			Z_OBJ_P(arg) = NULL;
			return FAILURE;
		}
	}

	if (class_type->create_object == NULL) {
		ZVAL_OBJ(arg, zend_objects_new(class_type));
		if (properties) {
			object_properties_init_ex(Z_OBJ_P(arg), properties);
		} else {
			object_properties_init(Z_OBJ_P(arg), class_type);
		}
	} else {
		ZVAL_OBJ(arg, class_type->create_object(class_type));
	}
	return SUCCESS;
```
```
object_init_ex(&obj, pce);

							/* Merge current hashtable with object's default properties */
							zend_hash_merge(Z_OBJPROP(obj),
											Z_ARRVAL(ent2->data),
											zval_add_ref, 0);
```

Test script:
---------------
$xml = <<<EOF
<?xml version="1.0" ?>
<wddxPacket version="1.0">
	<struct>
		<var name="php_class_name">
			<string>Throwable</string>
                </var>
        </struct>
</wddxPacket>
EOF;
	$wddx = wddx_deserialize($xml);
	var_dump($wddx);


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-01 04:15 UTC] stas@php.net
-PHP Version: 7.1Git-2016-12-29 (Git) +PHP Version: 7.0.14 -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2017-01-01 04:15 UTC] stas@php.net
The fix is in security repo as 8d2539fa0faf3f63e1d1e7635347c5b9e777d47b and in https://gist.github.com/5949c2ca31fb5bb030773a8e78571444

please verify
 [2017-01-02 11:53 UTC] nguyenvuhoang199321 at gmail dot com
Bug is fixed
 [2017-01-03 05:39 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d2539fa0faf3f63e1d1e7635347c5b9e777d47b
Log: Fix bug #73831 - NULL Pointer Dereference while unserialize php object
 [2017-01-03 05:39 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2017-01-25 11:11 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-10162
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 19:01:27 2024 UTC