Skip to content

Commit dcf3c97

Browse files
smalyshevsmalyshev
committed
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
1 parent 1785d2b commit dcf3c97

File tree

3 files changed

+72
-1
lines changed

3 files changed

+72
-1
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ PHP NEWS
1212
Out of Bounds). (emmanuel dot law at gmail dot com).
1313

1414
- WDDX:
15+
. Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
16+
(taoguangchen at icloud dot com)
1517
. Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion
1618
Vulnerability). (taoguangchen at icloud dot com)
1719

ext/wddx/tests/bug70661.phpt

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
--TEST--
2+
Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded("wddx")) print "skip";
6+
?>
7+
--FILE--
8+
<?php
9+
$fakezval = ptr2str(1122334455);
10+
$fakezval .= ptr2str(0);
11+
$fakezval .= "\x00\x00\x00\x00";
12+
$fakezval .= "\x01";
13+
$fakezval .= "\x00";
14+
$fakezval .= "\x00\x00";
15+
16+
$x = <<<EOT
17+
<?xml version='1.0'?>
18+
<wddxPacket version='1.0'>
19+
<header/>
20+
<data>
21+
<struct>
22+
<recordset rowCount='1' fieldNames='ryat'>
23+
<field name='ryat'>
24+
<var name='php_class_name'>
25+
<string>stdClass</string>
26+
</var>
27+
<null/>
28+
</field>
29+
</recordset>
30+
</struct>
31+
</data>
32+
</wddxPacket>
33+
EOT;
34+
35+
$y = wddx_deserialize($x);
36+
37+
for ($i = 0; $i < 5; $i++) {
38+
$v[$i] = $fakezval.$i;
39+
}
40+
41+
var_dump($y);
42+
43+
function ptr2str($ptr)
44+
{
45+
$out = '';
46+
47+
for ($i = 0; $i < 8; $i++) {
48+
$out .= chr($ptr & 0xff);
49+
$ptr >>= 8;
50+
}
51+
52+
return $out;
53+
}
54+
?>
55+
DONE
56+
--EXPECTF--
57+
array(1) {
58+
[0]=>
59+
array(1) {
60+
["ryat"]=>
61+
array(2) {
62+
["php_class_name"]=>
63+
string(8) "stdClass"
64+
[0]=>
65+
NULL
66+
}
67+
}
68+
}
69+
DONE

ext/wddx/wddx.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -978,7 +978,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
978978

979979
if (ent1->varname) {
980980
if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
981-
Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
981+
Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
982982
zend_bool incomplete_class = 0;
983983

984984
zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));

0 commit comments

Comments
 (0)