Merge branch 'PHP-7.4'

nikic · nikic · commit fb60ccc666e5 · 2019-09-25T11:03:19.000+02:00
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -245,11 +245,18 @@ static zend_string *php_session_encode(void) /* {{{ */
 
 static int php_session_decode(zend_string *data) /* {{{ */
 {
+	int res;
 	if (!PS(serializer)) {
 		php_error_docref(NULL, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
 		return FAILURE;
 	}
-	if (PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data)) == FAILURE) {
+	/* Make sure that any uses of unserialize() during session decoding do not share
+	 * state with any unserialize() that is already in progress (e.g. because we are
+	 * currently inside Serializable::unserialize(). */
+	BG(serialize_lock)++;
+	res = PS(serializer)->decode(ZSTR_VAL(data), ZSTR_LEN(data));
+	BG(serialize_lock)--;
+	if (res == FAILURE) {
 		php_session_destroy();
 		php_session_track_init();
 		php_error_docref(NULL, E_WARNING, "Failed to decode session object. Session has been destroyed");
diff --git a/ext/standard/tests/serialize/bug70219.phpt b/ext/standard/tests/serialize/bug70219.phpt
@@ -4,8 +4,6 @@ Bug #70219 Use after free vulnerability in session deserializer
 <?php
 if (!extension_loaded('session')) die('skip session extension not available');
 ?>
---XFAIL--
-Unfinished merge, needs fix.
 --FILE--
 <?php
 class obj implements Serializable {
@@ -32,15 +30,6 @@ var_dump($data);
 ?>
 --EXPECTF--
 Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
-array(2) {
-  [0]=>
-  object(obj)#%d (1) {
-    ["data"]=>
-    NULL
-  }
-  [1]=>
-  &array(1) {
-    ["data"]=>
-    NULL
-  }
-}
+
+Notice: unserialize(): Error at offset 55 of 56 bytes in %s on line %d
+bool(false)
diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt
@@ -18,6 +18,7 @@ class obj implements Serializable {
     }
     function unserialize($data) {
         session_decode($data);
+        return null;
     }
 }
 
@@ -33,20 +34,18 @@ for ($i = 0; $i < 5; $i++) {
 var_dump($data);
 var_dump($_SESSION);
 ?>
---EXPECTF--
+--EXPECT--
 array(2) {
   [0]=>
-  object(obj)#%d (1) {
+  object(obj)#1 (1) {
     ["data"]=>
     NULL
   }
   [1]=>
-  object(obj)#%d (1) {
+  object(obj)#2 (1) {
     ["data"]=>
     NULL
   }
 }
-object(obj)#1 (1) {
-  ["data"]=>
-  NULL
+array(0) {
 }

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ class obj implements Serializable {`
`18`	`18`	`}`
`19`	`19`	`function unserialize($data) {`
`20`	`20`	`session_decode($data);`
	`21`	`+ return null;`
`21`	`22`	`}`
`22`	`23`	`}`
`23`	`24`
`@@ -33,20 +34,18 @@ for ($i = 0; $i < 5; $i++) {`
`33`	`34`	`var_dump($data);`
`34`	`35`	`var_dump($_SESSION);`
`35`	`36`	`?>`
`36`		`---EXPECTF--`
	`37`	`+--EXPECT--`
`37`	`38`	`array(2) {`
`38`	`39`	`[0]=>`
`39`		`- object(obj)#%d (1) {`
	`40`	`+ object(obj)#1 (1) {`
`40`	`41`	`["data"]=>`
`41`	`42`	`NULL`
`42`	`43`	`}`
`43`	`44`	`[1]=>`
`44`		`- object(obj)#%d (1) {`
	`45`	`+ object(obj)#2 (1) {`
`45`	`46`	`["data"]=>`
`46`	`47`	`NULL`
`47`	`48`	`}`
`48`	`49`	`}`
`49`		`-object(obj)#1 (1) {`
`50`		`- ["data"]=>`
`51`		`- NULL`
	`50`	`+array(0) {`
`52`	`51`	`}`