php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77177 Serializing or unserializing COM objects crashes
Submitted: 2018-11-19 16:38 UTC Modified: 2018-11-20 23:33 UTC
From: php at zsxsoft dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: PHP 7.1.24 OS: Windows
Private report: No CVE-ID: None
 [2018-11-19 16:38 UTC] php at zsxsoft dot com
Description:
------------
When try to `serialize` a class, `serialize` will try to get all properties of the class by `zend_get_properties_for`. Then it will get the count of the properties by `zend_array_count` without checking nullptr. 

`com` and `com_safearray_proxy` will always returns NULL in `com_properties_get` so it will crash on `zend_array_count`.

Affect code
------------------------
ext/standard/var.c

static void php_var_serialize_intern(smart_str *buf, zval *struc, php_serialize_data_t var_hash) /* {{{ */
[...]
incomplete_class = php_var_serialize_class_name(buf, struc);
myht = zend_get_properties_for(struc, ZEND_PROP_PURPOSE_SERIALIZE);
> i = zend_array_count(myht); // Crash here because myht == NULL
if (i > 0 && incomplete_class) {
  --i;
}


ext/com_dotnet/com_handlers.c

static HashTable *com_properties_get(zval *object)
{
	/* TODO: use type-info to get all the names and values ?
	 * DANGER: if we do that, there is a strong possibility for
	 * infinite recursion when the hash is displayed via var_dump().
	 * Perhaps it is best to leave it un-implemented.
	 */
	return NULL;
}



Test script:
---------------
<?php
$a = new COM("WScript.Shell");
serialize($a);

Expected result:
----------------
Nothing happened

Actual result:
--------------
Crash

Patches

paxsk (last revision 2022-02-17 07:25 UTC by jaky0306 at qq dot com)
patch (last revision 2020-11-27 02:32 UTC by 920768504 at qq dot com)
newtest0292 (last revision 2020-01-18 16:30 UTC by dadaguo at 126 dot com)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-19 18:33 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: Next Major Version +PHP Version: PHP 7.1.24
 [2018-11-19 18:33 UTC] cmb@php.net
This also happens with older PHP versions.

Is an get_properties handler supposed to ever return NULL?
 [2018-11-20 00:37 UTC] php at zsxsoft dot com
Also, unserialize a `com` will cause a crash too.

I reviewed the git blame and found this bug can effect from PHP 5.0RC1RC1 to branch master: https://github.com/php/php-src/blob/6df5d5ba202b531de6bb563e2462e046d701e8d6/ext/com_dotnet/com_handlers.c#L264.

Effected code
---------
ext/standard/var_unserializer.c
static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements)

ht = Z_OBJPROP_P(rval);
if (elements >= (zend_long)(HT_MAX_SIZE - zend_hash_num_elements(ht))) {
  return 0;
}


Code
---------
<?php
 $c = unserialize('O:3:"com":0:{}');
 [2018-11-20 00:40 UTC] php at zsxsoft dot com
-Summary: serializing a com() will cause a crash +Summary: serializing or unserializing a com() will cause a crash
 [2018-11-20 00:40 UTC] php at zsxsoft dot com
Unserialize a `com` will cause a crash too.
 [2018-11-20 00:53 UTC] php at zsxsoft dot com
After fuzzing, I found `unserialize` those classes can crash php: 
- variant
- com
- dotnet


unserialize('O:7:"variant":0:{}');
unserialize('O:3:"com":0:{}');
unserialize('O:6:"dotnet":0:{}');
 [2018-11-20 23:33 UTC] cmb@php.net
-Summary: serializing or unserializing a com() will cause a crash +Summary: Serializing or unserializing COM objects crashes
 [2018-11-23 15:37 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=115ee49b0be12e3df7d2c7027609fbe1a1297e42
Log: Fix #77177: Serializing or unserializing COM objects crashes
 [2018-11-23 15:37 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-01-18 16:30 UTC] dadaguo at 126 dot com
The following patch has been added/updated:

Patch Name: newtest0292
Revision:   1579365045
URL:        https://bugs.php.net/patch-display.php?bug=77177&patch=newtest0292&revision=1579365045
 [2020-11-27 02:32 UTC] 920768504 at qq dot com
The following patch has been added/updated:

Patch Name: patch
Revision:   1606444378
URL:        https://bugs.php.net/patch-display.php?bug=77177&patch=patch&revision=1606444378
 [2022-02-17 07:25 UTC] jaky0306 at qq dot com
The following patch has been added/updated:

Patch Name: paxsk
Revision:   1645082739
URL:        https://bugs.php.net/patch-display.php?bug=77177&patch=paxsk&revision=1645082739
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 06:01:27 2024 UTC