php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77177 Serializing or unserializing COM objects crashes
Submitted: 2018-11-19 16:38 UTC Modified: 2018-11-20 23:33 UTC
From: php at zsxsoft dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: PHP 7.1.24 OS: Windows
Private report: No CVE-ID: None
 [2018-11-19 16:38 UTC] php at zsxsoft dot com
Description:
------------
When try to `serialize` a class, `serialize` will try to get all properties of the class by `zend_get_properties_for`. Then it will get the count of the properties by `zend_array_count` without checking nullptr. 

`com` and `com_safearray_proxy` will always returns NULL in `com_properties_get` so it will crash on `zend_array_count`.

Affect code
------------------------
ext/standard/var.c

static void php_var_serialize_intern(smart_str *buf, zval *struc, php_serialize_data_t var_hash) /* {{{ */
[...]
incomplete_class = php_var_serialize_class_name(buf, struc);
myht = zend_get_properties_for(struc, ZEND_PROP_PURPOSE_SERIALIZE);
> i = zend_array_count(myht); // Crash here because myht == NULL
if (i > 0 && incomplete_class) {
  --i;
}


ext/com_dotnet/com_handlers.c

static HashTable *com_properties_get(zval *object)
{
	/* TODO: use type-info to get all the names and values ?
	 * DANGER: if we do that, there is a strong possibility for
	 * infinite recursion when the hash is displayed via var_dump().
	 * Perhaps it is best to leave it un-implemented.
	 */
	return NULL;
}



Test script:
---------------
<?php
$a = new COM("WScript.Shell");
serialize($a);

Expected result:
----------------
Nothing happened

Actual result:
--------------
Crash

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-19 18:33 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: Next Major Version +PHP Version: PHP 7.1.24
 [2018-11-19 18:33 UTC] cmb@php.net
This also happens with older PHP versions.

Is an get_properties handler supposed to ever return NULL?
 [2018-11-20 00:37 UTC] php at zsxsoft dot com
Also, unserialize a `com` will cause a crash too.

I reviewed the git blame and found this bug can effect from PHP 5.0RC1RC1 to branch master: https://github.com/php/php-src/blob/6df5d5ba202b531de6bb563e2462e046d701e8d6/ext/com_dotnet/com_handlers.c#L264.

Effected code
---------
ext/standard/var_unserializer.c
static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements)

ht = Z_OBJPROP_P(rval);
if (elements >= (zend_long)(HT_MAX_SIZE - zend_hash_num_elements(ht))) {
  return 0;
}


Code
---------
<?php
 $c = unserialize('O:3:"com":0:{}');
 [2018-11-20 00:40 UTC] php at zsxsoft dot com
-Summary: serializing a com() will cause a crash +Summary: serializing or unserializing a com() will cause a crash
 [2018-11-20 00:40 UTC] php at zsxsoft dot com
Unserialize a `com` will cause a crash too.
 [2018-11-20 00:53 UTC] php at zsxsoft dot com
After fuzzing, I found `unserialize` those classes can crash php: 
- variant
- com
- dotnet


unserialize('O:7:"variant":0:{}');
unserialize('O:3:"com":0:{}');
unserialize('O:6:"dotnet":0:{}');
 [2018-11-20 23:33 UTC] cmb@php.net
-Summary: serializing or unserializing a com() will cause a crash +Summary: Serializing or unserializing COM objects crashes
 [2018-11-23 15:37 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=115ee49b0be12e3df7d2c7027609fbe1a1297e42
Log: Fix #77177: Serializing or unserializing COM objects crashes
 [2018-11-23 15:37 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 12 07:01:25 2018 UTC