57 lines
1.7 KiB
Diff
57 lines
1.7 KiB
Diff
From 6fc79c90a07672992b39d8d4fc95ad4023f751ae Mon Sep 17 00:00:00 2001
|
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
Date: Mon, 31 Jan 2022 15:43:24 +0100
|
|
Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints
|
|
|
|
We must only release the zval, if we actually assign a new zval.
|
|
---
|
|
ext/filter/logical_filters.c | 2 +-
|
|
ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++
|
|
2 files changed, 21 insertions(+), 1 deletion(-)
|
|
create mode 100644 ext/filter/tests/bug81708.phpt
|
|
|
|
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
|
|
index fa6ae65ac5..e5e87c0156 100644
|
|
--- a/ext/filter/logical_filters.c
|
|
+++ b/ext/filter/logical_filters.c
|
|
@@ -435,10 +435,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
|
|
|
|
switch (is_numeric_string(num, p - num, &lval, &dval, 0)) {
|
|
case IS_LONG:
|
|
- zval_ptr_dtor(value);
|
|
if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) {
|
|
goto error;
|
|
}
|
|
+ zval_ptr_dtor(value);
|
|
ZVAL_DOUBLE(value, (double)lval);
|
|
break;
|
|
case IS_DOUBLE:
|
|
diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt
|
|
new file mode 100644
|
|
index 0000000000..d0036af136
|
|
--- /dev/null
|
|
+++ b/ext/filter/tests/bug81708.phpt
|
|
@@ -0,0 +1,20 @@
|
|
+--TEST--
|
|
+Bug #81708 (UAF due to php_filter_float() failing for ints)
|
|
+--SKIPIF--
|
|
+<?php
|
|
+if (!extension_loaded("filter")) die("skip filter extension not available");
|
|
+?>
|
|
+--INI--
|
|
+opcache.enable_cli=0
|
|
+--FILE--
|
|
+<?php
|
|
+$input = "+" . str_repeat("1", 2); // avoid string interning
|
|
+filter_var(
|
|
+ $input,
|
|
+ FILTER_VALIDATE_FLOAT,
|
|
+ ["options" => ['min_range' => -1, 'max_range' => 1]]
|
|
+);
|
|
+var_dump($input);
|
|
+?>
|
|
+--EXPECT--
|
|
+string(3) "+11"
|
|
--
|
|
2.35.1.windows.1
|
|
|