wddx_deserialize null dereference

Disclosed: 2019-10-31 06:17:34 By fms To ibb
Unknown
Vulnerability Details
Upstream Bug --- https://bugs.php.net/bug.php?id=72750 Summary -- When wddx deserialize tries to parse an invalid base64 binary value, php_base64_decode return NULL. The return value is not checked and used. ``` https://github.com/php/php-src/blob/master/ext/wddx/wddx.c#L896 if (!strcmp((char *)name, EL_BINARY)) { zend_string *new_str = php_base64_decode( (unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data)); zval_ptr_dtor(&ent1->data); ZVAL_STR(&ent1->data, new_str); } ``` Patch -- ``` http://git.php.net/?p=php-src.git;a=commit;h=698a691724c0a949295991e5df091ce16f899e02 ``` Fixed for PHP 5.6.25, PHP 7.0.10 -- http://php.net/ChangeLog-5.php http://php.net/ChangeLog-7.php
Actions
View on HackerOne
Report Stats
  • Report ID: 161216
  • State: Closed
  • Substate: resolved
  • Upvotes: 1
Share this report