From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 1 Aug 2015 21:12:38 -0700
Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in
 unserialize() with SplObjectStorage

---
 ext/spl/spl_observer.c      | 68 +++++++++++++++++++++++----------------------
 ext/spl/tests/bug70168.phpt | 19 +++++++++++++
 2 files changed, 54 insertions(+), 33 deletions(-)
 create mode 100644 ext/spl/tests/bug70168.phpt

Index: php5-5.6.11+dfsg/ext/spl/spl_observer.c
===================================================================
--- php5-5.6.11+dfsg.orig/ext/spl/spl_observer.c	2015-09-25 11:29:38.347433718 -0400
+++ php5-5.6.11+dfsg/ext/spl/spl_observer.c	2015-09-25 11:29:38.343433667 -0400
@@ -838,14 +838,15 @@
 		goto outexcept;
 	}
 
+	var_push_dtor(&var_hash, &pcount);
 	--p; /* for ';' */
 	count = Z_LVAL_P(pcount);
-		
+
 	while(count-- > 0) {
 		spl_SplObjectStorageElement *pelement;
 		char *hash;
 		int hash_len;
-		
+
 		if (*p != ';') {
 			goto outexcept;
 		}
@@ -909,6 +910,7 @@
 		goto outexcept;
 	}
 
+	var_push_dtor(&var_hash, &pmembers);
 	/* copy members */
 	if (!intern->std.properties) {
 		rebuild_object_properties(&intern->std);
Index: php5-5.6.11+dfsg/ext/spl/tests/bug70168.phpt
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ php5-5.6.11+dfsg/ext/spl/tests/bug70168.phpt	2015-09-25 11:29:38.343433667 -0400
@@ -0,0 +1,19 @@
+--TEST--
+SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage
+--FILE--
+<?php
+$inner = 'x:i:1;O:8:"stdClass":0:{};m:a:0:{}';
+$exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+    $v[$i] = 'hi'.$i;
+}
+
+var_dump($data[1]);
+?>
+===DONE===
+--EXPECT--
+int(1)
+===DONE===