Fixed OSS fuzz issues #55589, #55599, and #55727

derickr · derickr · commit 5d9ee8f920d2 · 2023-02-10T13:03:47.000Z
diff --git a/.gitattributes b/.gitattributes
@@ -23,3 +23,6 @@
 **/*_arginfo.h linguist-generated
 /Zend/zend_vm_execute.h linguist-generated
 /Zend/zend_vm_opcodes.{h,c} linguist-generated
+
+# The OSS fuzz files are bunary
+/ext/date/tests/ossfuzz*.txt binary
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -2706,6 +2706,7 @@ PHP_METHOD(DateTime, __set_state)
 	dateobj = Z_PHPDATE_P(return_value);
 	if (!php_date_initialize_from_hash(&dateobj, myht)) {
 		zend_throw_error(NULL, "Invalid serialization data for DateTime object");
+		RETURN_THROWS();
 	}
 }
 /* }}} */
@@ -2727,6 +2728,7 @@ PHP_METHOD(DateTimeImmutable, __set_state)
 	dateobj = Z_PHPDATE_P(return_value);
 	if (!php_date_initialize_from_hash(&dateobj, myht)) {
 		zend_throw_error(NULL, "Invalid serialization data for DateTimeImmutable object");
+		RETURN_THROWS();
 	}
 }
 /* }}} */
@@ -2789,7 +2791,7 @@ static void restore_custom_datetime_properties(zval *object, HashTable *myht)
 	zval             *prop_val;
 
 	ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {
-		if (date_time_is_internal_property(prop_name)) {
+		if (!prop_name || (Z_TYPE_P(prop_val) == IS_REFERENCE) || date_time_is_internal_property(prop_name)) {
 			continue;
 		}
 		add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);
@@ -2813,6 +2815,7 @@ PHP_METHOD(DateTime, __unserialize)
 
 	if (!php_date_initialize_from_hash(&dateobj, myht)) {
 		zend_throw_error(NULL, "Invalid serialization data for DateTime object");
+		RETURN_THROWS();
 	}
 
 	restore_custom_datetime_properties(object, myht);
@@ -2836,6 +2839,7 @@ PHP_METHOD(DateTimeImmutable, __unserialize)
 
 	if (!php_date_initialize_from_hash(&dateobj, myht)) {
 		zend_throw_error(NULL, "Invalid serialization data for DateTimeImmutable object");
+		RETURN_THROWS();
 	}
 
 	restore_custom_datetime_properties(object, myht);
@@ -3821,7 +3825,7 @@ static void restore_custom_datetimezone_properties(zval *object, HashTable *myht
 	zval             *prop_val;
 
 	ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {
-		if (date_timezone_is_internal_property(prop_name)) {
+		if (!prop_name || (Z_TYPE_P(prop_val) == IS_REFERENCE) || date_timezone_is_internal_property(prop_name)) {
 			continue;
 		}
 		add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);
@@ -4449,7 +4453,7 @@ static void restore_custom_dateinterval_properties(zval *object, HashTable *myht
 	zval             *prop_val;
 
 	ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {
-		if (date_interval_is_internal_property(prop_name)) {
+		if (!prop_name || (Z_TYPE_P(prop_val) == IS_REFERENCE) || date_interval_is_internal_property(prop_name)) {
 			continue;
 		}
 		add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);
@@ -5411,7 +5415,7 @@ static void restore_custom_dateperiod_properties(zval *object, HashTable *myht)
 	zval             *prop_val;
 
 	ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {
-		if (date_period_is_internal_property(prop_name)) {
+		if (!prop_name || (Z_TYPE_P(prop_val) == IS_REFERENCE) || date_period_is_internal_property(prop_name)) {
 			continue;
 		}
 		add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);
diff --git a/ext/date/tests/ossfuzz-55589.txt b/ext/date/tests/ossfuzz-55589.txt
@@ -0,0 +1 @@
+|O:12:"DaTeInterval":2:{i:2;r:1;i:0;R:2;
diff --git a/ext/date/tests/ossfuzz-55599.txt b/ext/date/tests/ossfuzz-55599.txt
@@ -0,0 +1 @@
+|O:8:"DateTime":1:{i:1;d:2;
diff --git a/ext/date/tests/ossfuzz-55727.txt b/ext/date/tests/ossfuzz-55727.txt
diff --git a/ext/date/tests/unserialize-test.phpt b/ext/date/tests/unserialize-test.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Test DateInterval::__unserialize OSS fuzz issues
+--FILE--
+<?php
+$files = [
+	'ossfuzz-55589.txt',
+	'ossfuzz-55599.txt',
+	'ossfuzz-55727.txt',
+];
+
+foreach ($files as $file) {
+	echo "{$file}: ";
+
+	$s = file_get_contents(__DIR__ . "/{$file}");
+
+	try {
+		$x = unserialize(substr($s, strpos($s, "|") + 1));
+	} catch (Error $e) {
+		echo get_class($e), ': ', $e->getMessage(), "\n";
+	}
+	var_dump($x);
+	echo "\n\n";
+}
+?>
+--EXPECTF--
+ossfuzz-55589.txt: 
+%s: unserialize(): Error at offset 39 of 39 bytes in %sunserialize-test.php on line 14
+bool(false)
+
+
+ossfuzz-55599.txt: 
+%s: unserialize(): Error at offset 26 of 26 bytes in %sunserialize-test.php on line 14
+Error: Invalid serialization data for DateTime object
+bool(false)
+
+
+ossfuzz-55727.txt: 
+%s: unserialize(): Error at offset 230 of 509 bytes in %sunserialize-test.php on line 14
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -2706,6 +2706,7 @@ PHP_METHOD(DateTime, __set_state)`
`2706`	`2706`	`dateobj = Z_PHPDATE_P(return_value);`
`2707`	`2707`	`if (!php_date_initialize_from_hash(&dateobj, myht)) {`
`2708`	`2708`	`zend_throw_error(NULL, "Invalid serialization data for DateTime object");`
	`2709`	`+ RETURN_THROWS();`
`2709`	`2710`	`}`
`2710`	`2711`	`}`
`2711`	`2712`	`/* }}} */`
`@@ -2727,6 +2728,7 @@ PHP_METHOD(DateTimeImmutable, __set_state)`
`2727`	`2728`	`dateobj = Z_PHPDATE_P(return_value);`
`2728`	`2729`	`if (!php_date_initialize_from_hash(&dateobj, myht)) {`
`2729`	`2730`	`zend_throw_error(NULL, "Invalid serialization data for DateTimeImmutable object");`
	`2731`	`+ RETURN_THROWS();`
`2730`	`2732`	`}`
`2731`	`2733`	`}`
`2732`	`2734`	`/* }}} */`
`@@ -2789,7 +2791,7 @@ static void restore_custom_datetime_properties(zval object, HashTable myht)`
`2789`	`2791`	`zval *prop_val;`
`2790`	`2792`
`2791`	`2793`	`ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {`
`2792`		`- if (date_time_is_internal_property(prop_name)) {`
	`2794`	`+ if (!prop_name \|\| (Z_TYPE_P(prop_val) == IS_REFERENCE) \|\| date_time_is_internal_property(prop_name)) {`
`2793`	`2795`	`continue;`
`2794`	`2796`	`}`
`2795`	`2797`	`add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);`
`@@ -2813,6 +2815,7 @@ PHP_METHOD(DateTime, __unserialize)`
`2813`	`2815`
`2814`	`2816`	`if (!php_date_initialize_from_hash(&dateobj, myht)) {`
`2815`	`2817`	`zend_throw_error(NULL, "Invalid serialization data for DateTime object");`
	`2818`	`+ RETURN_THROWS();`
`2816`	`2819`	`}`
`2817`	`2820`
`2818`	`2821`	`restore_custom_datetime_properties(object, myht);`
`@@ -2836,6 +2839,7 @@ PHP_METHOD(DateTimeImmutable, __unserialize)`
`2836`	`2839`
`2837`	`2840`	`if (!php_date_initialize_from_hash(&dateobj, myht)) {`
`2838`	`2841`	`zend_throw_error(NULL, "Invalid serialization data for DateTimeImmutable object");`
	`2842`	`+ RETURN_THROWS();`
`2839`	`2843`	`}`
`2840`	`2844`
`2841`	`2845`	`restore_custom_datetime_properties(object, myht);`
`@@ -3821,7 +3825,7 @@ static void restore_custom_datetimezone_properties(zval object, HashTable myht`
`3821`	`3825`	`zval *prop_val;`
`3822`	`3826`
`3823`	`3827`	`ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {`
`3824`		`- if (date_timezone_is_internal_property(prop_name)) {`
	`3828`	`+ if (!prop_name \|\| (Z_TYPE_P(prop_val) == IS_REFERENCE) \|\| date_timezone_is_internal_property(prop_name)) {`
`3825`	`3829`	`continue;`
`3826`	`3830`	`}`
`3827`	`3831`	`add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);`
`@@ -4449,7 +4453,7 @@ static void restore_custom_dateinterval_properties(zval object, HashTable myht`
`4449`	`4453`	`zval *prop_val;`
`4450`	`4454`
`4451`	`4455`	`ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {`
`4452`		`- if (date_interval_is_internal_property(prop_name)) {`
	`4456`	`+ if (!prop_name \|\| (Z_TYPE_P(prop_val) == IS_REFERENCE) \|\| date_interval_is_internal_property(prop_name)) {`
`4453`	`4457`	`continue;`
`4454`	`4458`	`}`
`4455`	`4459`	`add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);`
`@@ -5411,7 +5415,7 @@ static void restore_custom_dateperiod_properties(zval object, HashTable myht)`
`5411`	`5415`	`zval *prop_val;`
`5412`	`5416`
`5413`	`5417`	`ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(myht, prop_name, prop_val) {`
`5414`		`- if (date_period_is_internal_property(prop_name)) {`
	`5418`	`+ if (!prop_name \|\| (Z_TYPE_P(prop_val) == IS_REFERENCE) \|\| date_period_is_internal_property(prop_name)) {`
`5415`	`5419`	`continue;`
`5416`	`5420`	`}`
`5417`	`5421`	`add_property_zval_ex(object, ZSTR_VAL(prop_name), ZSTR_LEN(prop_name), prop_val);`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\|O:12:"DaTeInterval":2:{i:2;r:1;i:0;R:2;`