[packages/php.git] / php-5.3.29-CVE-2014-8142.patch

diff -Naur php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt php-5.3.29/ext/standard/tests/serialize/bug68594.phpt
--- php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt	1970-01-01 00:00:00.000000000 +0000
+++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt	2015-01-24 13:14:16.222248839 +0000
@@ -0,0 +1,23 @@
+--TEST--
+Bug #68545 Use after free vulnerability in unserialize()
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+	$m = new StdClass();
+
+	$u = array(1);
+
+	$m->aaa = array(1,2,&$u,4,5);
+	$m->bbb = 1;
+	$m->ccc = &$u;
+	$m->ddd = str_repeat("A", $i);
+
+	$z = serialize($m);
+	$z = str_replace("bbb", "aaa", $z);
+	$y = unserialize($z);
+	$z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
--- php-5.3.29-original/ext/standard/var_unserializer.c	2015-01-24 13:05:17.310236430 +0000
+++ php-5.3.29/ext/standard/var_unserializer.c	2015-01-24 13:09:14.269241886 +0000
@@ -298,6 +298,9 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
--- php-5.3.29-original/ext/standard/var_unserializer.re	2015-01-24 13:05:17.310236430 +0000
+++ php-5.3.29/ext/standard/var_unserializer.re	2015-01-24 13:07:59.593240167 +0000
@@ -304,6 +304,9 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}
Commit	Line	Data
9fd17760 ER	1	diff -Naur php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt php-5.3.29/ext/standard/tests/serialize/bug68594.phpt
	2	--- php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt 1970-01-01 00:00:00.000000000 +0000
	3	+++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt 2015-01-24 13:14:16.222248839 +0000
	4	@@ -0,0 +1,23 @@
	5	+--TEST--
	6	+Bug #68545 Use after free vulnerability in unserialize()
	7	+--FILE--
	8	+<?php
	9	+for ($i=4; $i<100; $i++) {
	10	+ $m = new StdClass();
	11	+
	12	+ $u = array(1);
	13	+
	14	+ $m->aaa = array(1,2,&$u,4,5);
	15	+ $m->bbb = 1;
	16	+ $m->ccc = &$u;
	17	+ $m->ddd = str_repeat("A", $i);
	18	+
	19	+ $z = serialize($m);
	20	+ $z = str_replace("bbb", "aaa", $z);
	21	+ $y = unserialize($z);
	22	+ $z = serialize($y);
	23	+}
	24	+?>
	25	+===DONE===
	26	+--EXPECTF--
	27	+===DONE===
	28	diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
	29	--- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 13:05:17.310236430 +0000
	30	+++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 13:09:14.269241886 +0000
	31	@@ -298,6 +298,9 @@
	32	} else {
	33	/* object properties should include no integers */
	34	convert_to_string(key);
	35	+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
	36	+ var_push_dtor(var_hash, old_data);
	37	+ }
	38	zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
	39	sizeof data, NULL);
	40	}
	41	diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
	42	--- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 13:05:17.310236430 +0000
	43	+++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 13:07:59.593240167 +0000
	44	@@ -304,6 +304,9 @@
	45	} else {
	46	/* object properties should include no integers */
	47	convert_to_string(key);
	48	+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
	49	+ var_push_dtor(var_hash, old_data);
	50	+ }
	51	zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
	52	sizeof data, NULL);
	53	}