[packages/php.git] / php-5.3.3-CVE-2014-3669.patch

Adapted for PHP 5.4.16 from 

From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 14:19:31 -0700
Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
 only)

---
 NEWS                                       |  5 ++++-
 ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
 ext/standard/var_unserializer.c            |  4 ++--
 ext/standard/var_unserializer.re           |  2 +-
 4 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 ext/standard/tests/serialize/bug68044.phpt

diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
new file mode 100644
index 0000000..031e44e
--- /dev/null
+++ b/ext/standard/tests/serialize/bug68044.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68044 Integer overflow in unserialize() (32-bits only)
+--FILE--
+<?php
+	echo unserialize('C:3:"XYZ":18446744075857035259:{}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
+
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
+===DONE==
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index 657051f..8129da3 100644
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -326,7 +326,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 1307508..6de1583 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -332,7 +332,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}
-- 
2.1.0
Commit	Line	Data
9fd17760 ER	1	Adapted for PHP 5.4.16 from
	2
	3	From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
	4	From: Stanislav Malyshev <stas@php.net>
	5	Date: Sun, 28 Sep 2014 14:19:31 -0700
	6	Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
	7	only)
	8
	9	---
	10	NEWS \| 5 ++++-
	11	ext/standard/tests/serialize/bug68044.phpt \| 12 ++++++++++++
	12	ext/standard/var_unserializer.c \| 4 ++--
	13	ext/standard/var_unserializer.re \| 2 +-
	14	4 files changed, 19 insertions(+), 4 deletions(-)
	15	create mode 100644 ext/standard/tests/serialize/bug68044.phpt
	16
	17	diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
	18	new file mode 100644
	19	index 0000000..031e44e
	20	--- /dev/null
	21	+++ b/ext/standard/tests/serialize/bug68044.phpt
	22	@@ -0,0 +1,12 @@
	23	+--TEST--
	24	+Bug #68044 Integer overflow in unserialize() (32-bits only)
	25	+--FILE--
	26	+<?php
	27	+ echo unserialize('C:3:"XYZ":18446744075857035259:{}');
	28	+?>
	29	+===DONE==
	30	+--EXPECTF--
	31	+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
	32	+
	33	+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
	34	+===DONE==
	35	diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
	36	index 657051f..8129da3 100644
	37	--- a/ext/standard/var_unserializer.c
	38	+++ b/ext/standard/var_unserializer.c
	39	@@ -326,7 +326,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
	40
	41	(*p) += 2;
	42
	43	- if (datalen < 0 \|\| (*p) + datalen >= max) {
	44	+ if (datalen < 0 \|\| (max - (*p)) <= datalen) {
	45	zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
	46	return 0;
	47	}
	48	diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
	49	index 1307508..6de1583 100644
	50	--- a/ext/standard/var_unserializer.re
	51	+++ b/ext/standard/var_unserializer.re
	52	@@ -332,7 +332,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
	53
	54	(*p) += 2;
	55
	56	- if (datalen < 0 \|\| (*p) + datalen >= max) {
	57	+ if (datalen < 0 \|\| (max - (*p)) <= datalen) {
	58	zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
	59	return 0;
	60	}
	61	--
	62	2.1.0
	63