Merge branch 'PHP-5.6' into PHP-7.0

nikic · nikic · commit e0ca519a8ba9 · 2017-01-16T14:11:41.000+01:00
diff --git a/ext/standard/tests/serialize/bug69425.phpt b/ext/standard/tests/serialize/bug69425.phpt
@@ -0,0 +1,63 @@
+--TEST--
+Bug #69425: Use After Free in unserialize()
+--FILE--
+<?php
+
+// POC 1
+class test
+{
+	var $ryat;
+	
+	function __wakeup()
+	{
+		$this->ryat = 1;
+	}
+}
+
+$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}');
+var_dump($data);
+
+// POC 2
+$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}');
+var_dump($data);
+
+?>
+--EXPECT--
+int(1)
+array(2) {
+  [0]=>
+  object(DateInterval)#1 (15) {
+    ["y"]=>
+    int(-1)
+    ["m"]=>
+    int(-1)
+    ["d"]=>
+    int(-1)
+    ["h"]=>
+    int(-1)
+    ["i"]=>
+    int(-1)
+    ["s"]=>
+    int(-1)
+    ["weekday"]=>
+    int(-1)
+    ["weekday_behavior"]=>
+    int(-1)
+    ["first_last_day_of"]=>
+    int(-1)
+    ["invert"]=>
+    int(0)
+    ["days"]=>
+    int(-1)
+    ["special_type"]=>
+    int(0)
+    ["special_amount"]=>
+    int(-1)
+    ["have_weekday_relative"]=>
+    int(0)
+    ["have_special_relative"]=>
+    int(0)
+  }
+  [1]=>
+  int(2)
+}
diff --git a/ext/standard/tests/serialize/bug70513.phpt b/ext/standard/tests/serialize/bug70513.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #70513: GMP Deserialization Type Confusion Vulnerability
+--SKIPIF--
+<?php if (!extension_loaded('gmp')) die('skip requires gmp');
+--FILE--
+<?php
+
+class obj
+{
+	var $ryat;
+	
+	function __wakeup()
+	{
+		$this->ryat = 1;
+	}
+}
+
+$obj = new stdClass;
+$obj->aa = 1;
+$obj->bb = 2;
+
+$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}';
+$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
+$x = unserialize($exploit);
+var_dump($x);
+var_dump($obj);
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
+object(stdClass)#1 (2) {
+  ["aa"]=>
+  int(1)
+  ["bb"]=>
+  int(2)
+}
diff --git a/ext/standard/tests/serialize/bug72731.phpt b/ext/standard/tests/serialize/bug72731.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72731: Type Confusion in Object Deserialization
+--FILE--
+<?php
+
+class obj {
+	var $ryat;
+	function __wakeup() {
+		$this->ryat = 0x1122334455;
+	}
+}
+
+$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
+var_dump(unserialize($poc));
+
+?>
+--EXPECT--
+int(73588229205)
