diff options
| author | Igor Pashev <pashev.igor@gmail.com> | 2015-02-20 22:25:42 +0300 |
|---|---|---|
| committer | Igor Pashev <pashev.igor@gmail.com> | 2015-02-20 22:25:42 +0300 |
| commit | 71d41ca6bb3a9d888b39f34a30f994ac1cf88873 (patch) | |
| tree | 3a11365b77b332c078440204fb82549d34237a35 /ext/standard/tests/serialize | |
| parent | 2d50280dd013556e51b6f275ca965fe7b530029b (diff) | |
| parent | 1ceec3a053647865493ab417d3ce401b9bc42450 (diff) | |
| download | php-71d41ca6bb3a9d888b39f34a30f994ac1cf88873.tar.gz | |
Merge branch 'master-5.6' of git://anonscm.debian.org/pkg-php/php
Conflicts:
debian/changelog
debian/patches/series
Diffstat (limited to 'ext/standard/tests/serialize')
| -rw-r--r-- | ext/standard/tests/serialize/bug68044.phpt | 12 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug68545.phpt | 11 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug68594.phpt | 23 |
3 files changed, 46 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt new file mode 100644 index 000000000..f8ef937b1 --- /dev/null +++ b/ext/standard/tests/serialize/bug68044.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #68044 Integer overflow in unserialize() (32-bits only) +--FILE-- +<?php + echo unserialize('C:3:"XYZ":18446744075857035259:{}'); +?> +===DONE== +--EXPECTF-- +Warning: Insufficient data for unserializing - %d required, 1 present in %s%ebug68044.php on line 2 + +Notice: unserialize(): Error at offset 32 of 33 bytes in %s%ebug68044.php on line 2 +===DONE== diff --git a/ext/standard/tests/serialize/bug68545.phpt b/ext/standard/tests/serialize/bug68545.phpt new file mode 100644 index 000000000..e7250b37b --- /dev/null +++ b/ext/standard/tests/serialize/bug68545.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #68545 NULL pointer dereference in unserialize.c:var_push_dtor +--FILE-- +<?php +var_dump(unserialize('a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"b22";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";a:6:{a:6:{s:3:"322";s:3:"bar";s:3:"bar";s:3:"foo";s:3:"bar";s:3:"bar";')); +?> +===DONE=== +--EXPECTF-- +Notice: unserialize(): Error at offset %d of %d bytes in %sbug68545.php on line %d +bool(false) +===DONE=== diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt new file mode 100644 index 000000000..60fc7a76a --- /dev/null +++ b/ext/standard/tests/serialize/bug68594.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #68545 Use after free vulnerability in unserialize() +--FILE-- +<?php +for ($i=4; $i<100; $i++) { + $m = new StdClass(); + + $u = array(1); + + $m->aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("bbb", "aaa", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== |