1 diff -Naur php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt php-5.3.29/ext/standard/tests/serialize/bug68594.phpt
2 --- php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt 1970-01-01 00:00:00.000000000 +0000
3 +++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt 2015-01-24 13:14:16.222248839 +0000
6 +Bug #68545 Use after free vulnerability in unserialize()
9 +for ($i=4; $i<100; $i++) {
10 + $m = new StdClass();
14 + $m->aaa = array(1,2,&$u,4,5);
17 + $m->ddd = str_repeat("A", $i);
20 + $z = str_replace("bbb", "aaa", $z);
21 + $y = unserialize($z);
28 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
29 --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 13:05:17.310236430 +0000
30 +++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 13:09:14.269241886 +0000
33 /* object properties should include no integers */
34 convert_to_string(key);
35 + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
36 + var_push_dtor(var_hash, old_data);
38 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
41 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
42 --- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 13:05:17.310236430 +0000
43 +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 13:07:59.593240167 +0000
46 /* object properties should include no integers */
47 convert_to_string(key);
48 + if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
49 + var_push_dtor(var_hash, old_data);
51 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,