Merge branch 'PHP-7.1'

Author: nikic

ext/standard/tests/serialize/bug69425.phpt

@@ -0,0 +1,65 @@
+--TEST--
+Bug #69425: Use After Free in unserialize()
+--FILE--
+<?php
+
+// POC 1
+class test
+{
+	var $ryat;
+	
+	function __wakeup()
+	{
+		$this->ryat = 1;
+	}
+}
+
+$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}');
+var_dump($data);
+
+// POC 2
+$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}');
+var_dump($data);
+
+?>
+--EXPECT--
+int(1)
+array(2) {
+  [0]=>
+  object(DateInterval)#1 (16) {
+    ["y"]=>
+    int(-1)
+    ["m"]=>
+    int(-1)
+    ["d"]=>
+    int(-1)
+    ["h"]=>
+    int(-1)
+    ["i"]=>
+    int(-1)
+    ["s"]=>
+    int(-1)
+    ["f"]=>
+    float(-1)
+    ["weekday"]=>
+    int(-1)
+    ["weekday_behavior"]=>
+    int(-1)
+    ["first_last_day_of"]=>
+    int(-1)
+    ["invert"]=>
+    int(0)
+    ["days"]=>
+    int(-1)
+    ["special_type"]=>
+    int(0)
+    ["special_amount"]=>
+    int(-1)
+    ["have_weekday_relative"]=>
+    int(0)
+    ["have_special_relative"]=>
+    int(0)
+  }
+  [1]=>
+  int(2)
+}

ext/standard/tests/serialize/bug70513.phpt

@@ -0,0 +1,39 @@
+--TEST--
+Bug #70513: GMP Deserialization Type Confusion Vulnerability
+--SKIPIF--
+<?php if (!extension_loaded('gmp')) die('skip requires gmp');
+--FILE--
+<?php
+
+class obj
+{
+	var $ryat;
+	
+	function __wakeup()
+	{
+		$this->ryat = 1;
+	}
+}
+
+$obj = new stdClass;
+$obj->aa = 1;
+$obj->bb = 2;
+
+$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}';
+$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
+$x = unserialize($exploit);
+var_dump($x);
+var_dump($obj);
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
+object(stdClass)#1 (2) {
+  ["aa"]=>
+  int(1)
+  ["bb"]=>
+  int(2)
+}

ext/standard/tests/serialize/bug72731.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Bug #72731: Type Confusion in Object Deserialization
+--FILE--
+<?php
+
+class obj {
+	var $ryat;
+	function __wakeup() {
+		$this->ryat = 0x1122334455;
+	}
+}
+
+$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
+var_dump(unserialize($poc));
+
+?>
+--EXPECT--
+int(73588229205)

ext/standard/var.c

@@ -1122,7 +1122,6 @@ PHP_FUNCTION(unserialize)
 		}
 		RETVAL_FALSE;
 	} else {
-		ZVAL_DEREF(retval);
 		ZVAL_COPY(return_value, retval);
 	}
 
@@ -1134,6 +1133,13 @@ PHP_FUNCTION(unserialize)
 	/* Reset to previous allowed_classes in case this is a nested call */
 	php_var_unserialize_set_allowed_classes(var_hash, prev_class_hash);
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+
+	/* Per calling convention we must not return a reference here, so unwrap. We're doing this at
+	 * the very end, because __wakeup() calls performed during UNSERIALIZE_DESTROY might affect
+	 * the value we unwrap here. This is compatible with behavior in PHP <=7.0. */
+	if (Z_ISREF_P(return_value)) {
+		zend_unwrap_reference(return_value);
+	}
 }
 /* }}} */