The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finishnesteddata call.
[
{
"source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
"id": "CVE-2016-10161-3b9c5256",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "object_common1",
"file": "ext/standard/var_unserializer.c"
},
"digest": {
"function_hash": "102014736888371947073622309327152596049",
"length": 313.0
}
},
{
"source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
"id": "CVE-2016-10161-d7bff264",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "ext/standard/var_unserializer.c"
},
"digest": {
"line_hashes": [
"156659818536995479401509881781153512977",
"332411611261216109036119952550949627613",
"175154365176312667493289913859517617239",
"292808490699705175769846566855350577236",
"204434093787147435695643524830940913973",
"320404238966101544780012746116739028271",
"254394193571028949476121628024199669157",
"115826316860869632762850898256170057526",
"288492443928640837034179369550419455465",
"133597691269487802737759265767477076106",
"133241928916394438999813332856060650490",
"309069877246144241021183162857731752804",
"300149141241140382422723902163337113949",
"14537897399130975906325317205706474113",
"135217159720101803264493392694616503520",
"185283076345212462460319318519649780313",
"108619621929876402586697073964540229436",
"170971560399662829679597257279898093945",
"94274429891472346158462649840890783608",
"252924041623091431529690206662692415087",
"135128096153015951808915615995313681469",
"131619494778740792699116875231065282177",
"317618530951820823023060414865401146756",
"290489602454746427164461411655086850817",
"148091462504421943564866916766665278755",
"209812401911288028761332120089306364792",
"248469110157997342180112564542801052355",
"70020660201742646952249257863737609102",
"301943635684423793388392119989171192422",
"40252293043020688685497495068642280938",
"91594551533227649248260845118997565747",
"214007313744332650750185026050483657036",
"111319538503803771628706851971394481706",
"244404457169388937967563546267485743000",
"51764611741152284502137778962470086133",
"121211149818397940948596097403179740791",
"124549686909994422343267069861448504208",
"86604770935606210151290431002680849145",
"322295431206784981122893089000068246954",
"144854636401275310515902943222557455535",
"240376856352271781753213191599085365136",
"75389880859964568614716422307806993942",
"131394561621523499781273345186884665026",
"269344781322131441083608982517773901734",
"63715437653235278129229794125032662148",
"116832660271284920756294505450241968017",
"25968016611702531840726495991311735263",
"48314656578202292035288425544720254354",
"81268529378724751960807935402108811495",
"242903849568173550314315686971900602004",
"289952286420159641552369844466606222201",
"219777442382589674082647241951381047968",
"203512797816867684133096412369260062681",
"83316624676644098589983353475335242517",
"222615053622175322934130995245001132284",
"296323254794011160863202133311018479720",
"317804225334766029110804062146121860382",
"186664742860248452216040960675085258063",
"278428620155752142638995760764112252093",
"164756599401284224735253047706912681131",
"236277780640987173307473841942057651246",
"131453700100823837398392671304147153945",
"93377686039681326460382529325332090830",
"252642025292617061297567034208787785854",
"105837189904120547275578161330148719999",
"122695124371188015545299777422713641247",
"106690670692583702481938425110489899852",
"304119051236576772722763469777272013806",
"28887068261345770513340006360061472811",
"26280133394899063511596617912024520866",
"307544587225187099823242738742231964521",
"319581235034079905796705509909439236663",
"162463844005770259670660752817855738370",
"281966980067648074142240566543507404698",
"294192437121896453685798446473529735239",
"332362950513434373589925779088976557318",
"108481352702888374011932934116500558828",
"313438773159103981145298018448890417611",
"219156078207585343436216815655929233414",
"276214493963318764412424534748639683905",
"41472256311408623347091202367731237368",
"340226588820199043384612652998513531703",
"303008292955944647144697137037776545327",
"224866211994852054833883023846344453355",
"85904425184399690027432215477446959133",
"68308686890663402683343305057866492833",
"186284636420507909642181281237471146931",
"47097122779524089833671815772292756884",
"37678903134115544278786524366861534611",
"95113748457258960652270451863821414665",
"323258015265784422023455444648171044409",
"179747643586564489227379687069668531891",
"242635727781932376784849390327411636973",
"246219371449065516249945285850096598908",
"111031523661467018242541877133279896151",
"41425997854386759240047914135191211728",
"153603517312343001461786959562384503529",
"303177413990508647812165651295005986045",
"184928466765896983686724124135951223638",
"208332658735844803438330063883868864534",
"111664045586250202426077714417272175202",
"52745000606477910756160017957810204591",
"51388981653003571918957703208683824275",
"194469745212707854925036397979089728118",
"84383999315842369499585587257702349447",
"162028921666032764772388315493565288507",
"51822975246475781917709858843502398203",
"111330423438275767697563063323763280383",
"326389986972610958986243871476829569596",
"44401052975791225495741697253619455363",
"313570138683617402028941989883696069615",
"325169024165300323148198388953566181754",
"322407698099982339444906360000862459888",
"43093420482722734695652864146531921571",
"102397668688437072526612661462575961794",
"49457835069486511479137183234573342579",
"297220464977272875635183875237861531565",
"149330455243355885366588866922312608332",
"289901322037952959099632678126383520970",
"158275766494886894846308081583175902083",
"244483168919666275356027592949487377141",
"95589939382653840870153607230996668198",
"96413379463859426235342842489805942111",
"175295321965973290456496374677676168607",
"73548063894324940807259246949041291648",
"283637413765299367478168749713634756015",
"169983434125104900482280482422699795451",
"144324876620989193981448371400489921546",
"216519841270810782881753630797795169707",
"91468875349476294403202370719769848254",
"152268322992391752766634161049229233651",
"251449454170298881274153760483186219867",
"328106744939042563559879595229177638190",
"166814590317547466466707822212784960674"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2",
"id": "CVE-2016-10161-f5aaf487",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "php_var_unserialize",
"file": "ext/standard/var_unserializer.c"
},
"digest": {
"function_hash": "198732413940183559551554626991973413187",
"length": 17379.0
}
}
]