Another use-after-free vulnerability in unserialize() was found when during deserialization it will still allow to use R: or r: to set references to the already freed memory.
Vulnerable code:
while(*p == ':') {
++p;
ALLOC_INIT_ZVAL(elem);
if (!php_var_unserialize(&elem, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&elem);
goto error;
}
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}
Upstream report:
https://bugs.php.net/bug.php?id=70366
Upstream patch:
http://git.php.net/?p=php-src.git;a=commit;h=259057b2a484747a6c73ce54c4fa0f5acbd56179