[packages/php.git] / php-5.3.29-CVE-2015-0231.patch

diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt
--- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt	1970-01-01 00:00:00.000000000 +0000
+++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt	2015-01-24 14:53:04.321385336 +0000
@@ -0,0 +1,25 @@
+--TEST--
+Bug #68710 Use after free vulnerability in unserialize() (bypassing the
+CVE-2014-8142 fix)
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+    $m = new StdClass();
+
+    $u = array(1);
+
+    $m->aaa = array(1,2,&$u,4,5);
+    $m->bbb = 1;
+    $m->ccc = &$u;
+    $m->ddd = str_repeat("A", $i);
+
+    $z = serialize($m);
+    $z = str_replace("aaa", "123", $z);
+    $z = str_replace("bbb", "123", $z);
+    $y = unserialize($z);
+    $z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
--- php-5.3.29-original/ext/standard/var_unserializer.c	2015-01-24 14:50:14.682381430 +0000
+++ php-5.3.29/ext/standard/var_unserializer.c	2015-01-24 14:51:47.623383570 +0000
@@ -298,7 +298,7 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
-			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 				var_push_dtor(var_hash, old_data);
 			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
--- php-5.3.29-original/ext/standard/var_unserializer.re	2015-01-24 14:50:14.685381430 +0000
+++ php-5.3.29/ext/standard/var_unserializer.re	2015-01-24 14:52:13.191384159 +0000
@@ -304,7 +304,7 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
-			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 				var_push_dtor(var_hash, old_data);
 			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
Commit	Line	Data
9fd17760 ER	1	diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt
	2	--- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt 1970-01-01 00:00:00.000000000 +0000
	3	+++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-01-24 14:53:04.321385336 +0000
	4	@@ -0,0 +1,25 @@
	5	+--TEST--
	6	+Bug #68710 Use after free vulnerability in unserialize() (bypassing the
	7	+CVE-2014-8142 fix)
	8	+--FILE--
	9	+<?php
	10	+for ($i=4; $i<100; $i++) {
	11	+ $m = new StdClass();
	12	+
	13	+ $u = array(1);
	14	+
	15	+ $m->aaa = array(1,2,&$u,4,5);
	16	+ $m->bbb = 1;
	17	+ $m->ccc = &$u;
	18	+ $m->ddd = str_repeat("A", $i);
	19	+
	20	+ $z = serialize($m);
	21	+ $z = str_replace("aaa", "123", $z);
	22	+ $z = str_replace("bbb", "123", $z);
	23	+ $y = unserialize($z);
	24	+ $z = serialize($y);
	25	+}
	26	+?>
	27	+===DONE===
	28	+--EXPECTF--
	29	+===DONE===
	30	diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
	31	--- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 14:50:14.682381430 +0000
	32	+++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 14:51:47.623383570 +0000
	33	@@ -298,7 +298,7 @@
	34	} else {
	35	/* object properties should include no integers */
	36	convert_to_string(key);
	37	- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
	38	+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
	39	var_push_dtor(var_hash, old_data);
	40	}
	41	zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
	42	diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
	43	--- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 14:50:14.685381430 +0000
	44	+++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 14:52:13.191384159 +0000
	45	@@ -304,7 +304,7 @@
	46	} else {
	47	/* object properties should include no integers */
	48	convert_to_string(key);
	49	- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
	50	+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
	51	var_push_dtor(var_hash, old_data);
	52	}
	53	zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,