From 863bf294feb9ad425eadb94f288bc7f18673089d Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 1 Aug 2015 21:51:08 -0700
Subject: [PATCH] Fixed bug #70169 (Use After Free Vulnerability in
 unserialize() with SplDoublyLinkedList)

---
 ext/spl/spl_dllist.c        | 25 +++++++++++++------------
 ext/spl/tests/bug70169.phpt | 30 ++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 12 deletions(-)
 create mode 100644 ext/spl/tests/bug70169.phpt

Index: php5-5.6.11+dfsg/ext/spl/spl_dllist.c
===================================================================
--- php5-5.6.11+dfsg.orig/ext/spl/spl_dllist.c	2015-09-25 11:29:47.951555773 -0400
+++ php5-5.6.11+dfsg/ext/spl/spl_dllist.c	2015-09-25 11:29:47.951555773 -0400
@@ -1207,6 +1207,7 @@
 		zval_ptr_dtor(&flags);
 		goto error;
 	}
+	var_push_dtor(&var_hash, &flags);
 	intern->flags = Z_LVAL_P(flags);
 	zval_ptr_dtor(&flags);
 
Index: php5-5.6.11+dfsg/ext/spl/tests/bug70169.phpt
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ php5-5.6.11+dfsg/ext/spl/tests/bug70169.phpt	2015-09-25 11:29:47.951555773 -0400
@@ -0,0 +1,30 @@
+--TEST--
+SPL: Bug #70169	Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
+--FILE--
+<?php
+$inner = 'i:1;';
+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+
+$data = unserialize($exploit);
+
+for($i = 0; $i < 5; $i++) {
+    $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+?>
+===DONE===
+--EXPECTF--
+array(2) {
+  [0]=>
+  object(SplDoublyLinkedList)#%d (2) {
+    ["flags":"SplDoublyLinkedList":private]=>
+    int(1)
+    ["dllist":"SplDoublyLinkedList":private]=>
+    array(0) {
+    }
+  }
+  [1]=>
+  int(1)
+}
+===DONE===