Posted by 牛保龙 on Aug 12

i reported a use after free for php on hackerone.com,the bug :https://bugs.php.net/bug.php?id=70211.

Description: ———— the Hash table is full, resize it,ZEND_HASH_IF_FULL_DO_RESIZE(ht),but if one elment is
already allocate in the old memery and re-allocate in the new memry and the var_hash struct also exists the old memery
for the element, it can cause a use after free when unserialize() function has r/R referer. my english is poor. i…