A use-after-free flaw was found in the php_wddx_pop_element() function of PHP's WDDX extension. Unserializing specially crafted input could cause a PHP application to crash or, possibly, execute arbitrary code.
A use-after free vulnerability was found that could possible lead to arbitrary remote codeexecution. Vulnerable code:
if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
target_hash = HASH_OF(ent2->data);
if (ent1->varname) {
if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
...
/* Clean up old array entry */
zval_ptr_dtor(&ent2->data);
/* Set stack entry to point to the newly created object */
ent2->data = obj;
/* Clean up class name var entry */
zval_ptr_dtor(&ent1->data);
During wddx packet deserialization the zval_ptr_dtor() lead ZVAL is freed from the memory, however a crafted recordset can still use already freed memory.
Upstream patch:
https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746
Upstream bug (contains reproducer):
https://bugs.php.net/bug.php?id=70661
A use-after free vulnerability was found that could possible lead to arbitrary remote codeexecution. Vulnerable code: if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) { target_hash = HASH_OF(ent2->data); if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) { ... /* Clean up old array entry */ zval_ptr_dtor(&ent2->data); /* Set stack entry to point to the newly created object */ ent2->data = obj; /* Clean up class name var entry */ zval_ptr_dtor(&ent1->data); During wddx packet deserialization the zval_ptr_dtor() lead ZVAL is freed from the memory, however a crafted recordset can still use already freed memory. Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 Upstream bug (contains reproducer): https://bugs.php.net/bug.php?id=70661