PHP 7.0.10 Missing type check when unserializing SplArray
Posted on 30 November -0001
<HTML><HEAD><TITLE>PHP 7.0.10 Missing type check when unserializing SplArray</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Description: ------------ The return value is not checked and used on spl_array_get_dimension_ptr_ptr static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, zval *offset, int type TSRMLS_DC) /* {{{ */ { .... HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); <--- here is not check ht with NULL } Test script: --------------- <?php $a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; $m = unserialize($a); $x = $m[2]; ?> Expected result: ---------------- No crash Actual result: -------------- $ gdb /data/php-src-PHP-5.6.26/sapi/cli/php GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 (gdb) r se.php Starting program: /data/php-src-PHP-5.6.26/sapi/cli/php se.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c", line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60 60 if (ht->inconsistent==HT_OK) { (gdb) bt #0 0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c", line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60 #1 0x0000000000ac3625 in zend_hash_index_find (ht=0x0, h=2, pData=0x7fffffffaaf0) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:938 #2 0x000000000089621a in spl_array_get_dimension_ptr_ptr (check_inherited=1, object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:357 #3 0x000000000089664b in spl_array_read_dimension_ex (check_inherited=1, object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:406 #4 0x000000000089679b in spl_array_read_dimension (object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:434 #5 0x0000000000af40b6 in zend_fetch_dimension_address_read (result=0x7ffff7f901e0, container=0x7ffff7fc50b8, dim=0x7ffff7fc7940, dim_type=1, type=0) at /data/php-src-PHP-5.6.26/Zend/zend_execute.c:1364 #6 0x0000000000b4ae0a in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f90260) at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:32849 #7 0x0000000000af5196 in execute_ex (execute_data=0x7ffff7f90260) at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363 #8 0x0000000000af521f in zend_execute (op_array=0x7ffff7fc5fd8) at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388 #9 0x0000000000ab0372 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /data/php-src-PHP-5.6.26/Zend/zend.c:1341 #10 0x0000000000a15aa2 in php_execute_script (primary_file=0x7fffffffd200) at /data/php-src-PHP-5.6.26/main/main.c:2613 #11 0x0000000000b64a18 in do_cli (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:994 #12 0x0000000000b65d71 in main (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:1378 </BODY></HTML>