The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finishnesteddata call.
{ "vanir_signatures": [ { "deprecated": false, "target": { "function": "object_common1", "file": "ext/standard/var_unserializer.c" }, "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2", "signature_type": "Function", "id": "CVE-2016-10161-3b9c5256", "signature_version": "v1", "digest": { "function_hash": "102014736888371947073622309327152596049", "length": 313.0 } }, { "deprecated": false, "target": { "file": "ext/standard/var_unserializer.c" }, "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2", "signature_type": "Line", "id": "CVE-2016-10161-d7bff264", "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "156659818536995479401509881781153512977", "332411611261216109036119952550949627613", "175154365176312667493289913859517617239", "292808490699705175769846566855350577236", "204434093787147435695643524830940913973", "320404238966101544780012746116739028271", "254394193571028949476121628024199669157", "115826316860869632762850898256170057526", "288492443928640837034179369550419455465", "133597691269487802737759265767477076106", "133241928916394438999813332856060650490", "309069877246144241021183162857731752804", "300149141241140382422723902163337113949", "14537897399130975906325317205706474113", "135217159720101803264493392694616503520", "185283076345212462460319318519649780313", "108619621929876402586697073964540229436", "170971560399662829679597257279898093945", "94274429891472346158462649840890783608", "252924041623091431529690206662692415087", "135128096153015951808915615995313681469", "131619494778740792699116875231065282177", "317618530951820823023060414865401146756", "290489602454746427164461411655086850817", "148091462504421943564866916766665278755", "209812401911288028761332120089306364792", "248469110157997342180112564542801052355", "70020660201742646952249257863737609102", "301943635684423793388392119989171192422", "40252293043020688685497495068642280938", "91594551533227649248260845118997565747", "214007313744332650750185026050483657036", "111319538503803771628706851971394481706", "244404457169388937967563546267485743000", "51764611741152284502137778962470086133", "121211149818397940948596097403179740791", "124549686909994422343267069861448504208", "86604770935606210151290431002680849145", "322295431206784981122893089000068246954", "144854636401275310515902943222557455535", "240376856352271781753213191599085365136", "75389880859964568614716422307806993942", "131394561621523499781273345186884665026", "269344781322131441083608982517773901734", "63715437653235278129229794125032662148", "116832660271284920756294505450241968017", "25968016611702531840726495991311735263", "48314656578202292035288425544720254354", "81268529378724751960807935402108811495", "242903849568173550314315686971900602004", "289952286420159641552369844466606222201", "219777442382589674082647241951381047968", "203512797816867684133096412369260062681", "83316624676644098589983353475335242517", "222615053622175322934130995245001132284", "296323254794011160863202133311018479720", "317804225334766029110804062146121860382", "186664742860248452216040960675085258063", "278428620155752142638995760764112252093", "164756599401284224735253047706912681131", "236277780640987173307473841942057651246", "131453700100823837398392671304147153945", "93377686039681326460382529325332090830", "252642025292617061297567034208787785854", "105837189904120547275578161330148719999", "122695124371188015545299777422713641247", "106690670692583702481938425110489899852", "304119051236576772722763469777272013806", "28887068261345770513340006360061472811", "26280133394899063511596617912024520866", "307544587225187099823242738742231964521", "319581235034079905796705509909439236663", "162463844005770259670660752817855738370", "281966980067648074142240566543507404698", "294192437121896453685798446473529735239", "332362950513434373589925779088976557318", "108481352702888374011932934116500558828", "313438773159103981145298018448890417611", "219156078207585343436216815655929233414", "276214493963318764412424534748639683905", "41472256311408623347091202367731237368", "340226588820199043384612652998513531703", "303008292955944647144697137037776545327", "224866211994852054833883023846344453355", "85904425184399690027432215477446959133", "68308686890663402683343305057866492833", "186284636420507909642181281237471146931", "47097122779524089833671815772292756884", "37678903134115544278786524366861534611", "95113748457258960652270451863821414665", "323258015265784422023455444648171044409", "179747643586564489227379687069668531891", "242635727781932376784849390327411636973", "246219371449065516249945285850096598908", "111031523661467018242541877133279896151", "41425997854386759240047914135191211728", "153603517312343001461786959562384503529", "303177413990508647812165651295005986045", "184928466765896983686724124135951223638", "208332658735844803438330063883868864534", "111664045586250202426077714417272175202", "52745000606477910756160017957810204591", "51388981653003571918957703208683824275", "194469745212707854925036397979089728118", "84383999315842369499585587257702349447", "162028921666032764772388315493565288507", "51822975246475781917709858843502398203", "111330423438275767697563063323763280383", "326389986972610958986243871476829569596", "44401052975791225495741697253619455363", "313570138683617402028941989883696069615", "325169024165300323148198388953566181754", "322407698099982339444906360000862459888", "43093420482722734695652864146531921571", "102397668688437072526612661462575961794", "49457835069486511479137183234573342579", "297220464977272875635183875237861531565", "149330455243355885366588866922312608332", "289901322037952959099632678126383520970", "158275766494886894846308081583175902083", "244483168919666275356027592949487377141", "95589939382653840870153607230996668198", "96413379463859426235342842489805942111", "175295321965973290456496374677676168607", "73548063894324940807259246949041291648", "283637413765299367478168749713634756015", "169983434125104900482280482422699795451", "144324876620989193981448371400489921546", "216519841270810782881753630797795169707", "91468875349476294403202370719769848254", "152268322992391752766634161049229233651", "251449454170298881274153760483186219867", "328106744939042563559879595229177638190", "166814590317547466466707822212784960674" ] } }, { "deprecated": false, "target": { "function": "php_var_unserialize", "file": "ext/standard/var_unserializer.c" }, "source": "https://github.com/php/php-src/commit/16b3003ffc6393e250f069aa28a78dc5a2c064b2", "signature_type": "Function", "id": "CVE-2016-10161-f5aaf487", "signature_version": "v1", "digest": { "function_hash": "198732413940183559551554626991973413187", "length": 17379.0 } } ] }