Fix use-after-free due to packed->mixed conversion with __unserialize()

nikic · nikic · commit c3376bf7aebe · 2019-09-16T14:37:16.000+02:00
diff --git a/ext/standard/tests/serialize/__serialize_007.phpt b/ext/standard/tests/serialize/__serialize_007.phpt
@@ -0,0 +1,15 @@
+--TEST--
+No packed -> mixed reallocation while populating __unserialize() array
+--FILE--
+<?php
+
+$payload = 'O:13:"ArrayIterator":2:{i:0;i:0;s:1:"x";R:2;}';
+try {
+    var_dump(unserialize($payload));
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Incomplete or ill-typed serialization data
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
@@ -651,6 +651,8 @@ static inline int object_common(UNSERIALIZE_PARAMETER, zend_long elements, zend_
 		}
 
 		array_init_size(&ary, elements);
+		/* Avoid reallocation due to packed -> mixed conversion. */
+		zend_hash_real_init_mixed(Z_ARRVAL(ary));
 		if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL(ary), elements, NULL)) {
 			ZVAL_DEREF(rval);
 			GC_ADD_FLAGS(Z_OBJ_P(rval), IS_OBJ_DESTRUCTOR_CALLED);

Original file line number	Diff line number	Diff line change
`@@ -651,6 +651,8 @@ static inline int object_common(UNSERIALIZE_PARAMETER, zend_long elements, zend_`
`651`	`651`	`}`
`652`	`652`
`653`	`653`	`array_init_size(&ary, elements);`
	`654`	`+ /* Avoid reallocation due to packed -> mixed conversion. */`
	`655`	`+ zend_hash_real_init_mixed(Z_ARRVAL(ary));`
`654`	`656`	`if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_ARRVAL(ary), elements, NULL)) {`
`655`	`657`	`ZVAL_DEREF(rval);`
`656`	`658`	`GC_ADD_FLAGS(Z_OBJ_P(rval), IS_OBJ_DESTRUCTOR_CALLED);`