[packages/php.git] / php-5.3.3-CVE-2014-4670.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:45:09 +0800
Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)

---
 NEWS                        |  3 +++
 ext/spl/spl_dllist.c        |  7 +++++--
 ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/bug67538.phpt

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 39a0733..0b44d41 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -40,12 +40,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 
 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
 	efree(elem); \
-	elem = NULL; \
 }
 
 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
 	efree(elem); \
-	elem = NULL; \
 }
 
 #define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
 			llist->dtor(element TSRMLS_CC);
 		}
 
+		if (intern->traverse_pointer == element) {
+			SPL_LLIST_DELREF(element);
+			intern->traverse_pointer = NULL;
+		}
+
 		zval_ptr_dtor((zval **)&element->data);
 		element->data = NULL;
 
diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
new file mode 100644
index 0000000..b6f3848
--- /dev/null
+++ b/ext/spl/tests/bug67538.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #67538 (SPL Iterators use-after-free)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->push('a');
+$list->push('b');
+
+$list->rewind();
+$list->offsetUnset(0);
+$list->push('b');
+$list->offsetUnset(0);
+$list->next();
+echo "okey";
+?>
+--EXPECTF--
+okey
-- 
1.9.2
Commit	Line	Data
9fd17760 ER	1	Patch adapted for PHP 5.3.3
	2
	3	Orginal patch:
	4	From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
	5	From: Xinchen Hui <laruence@php.net>
	6	Date: Wed, 2 Jul 2014 17:45:09 +0800
	7	Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
	8
	9	---
	10	NEWS \| 3 +++
	11	ext/spl/spl_dllist.c \| 7 +++++--
	12	ext/spl/tests/bug67538.phpt \| 17 +++++++++++++++++
	13	3 files changed, 25 insertions(+), 2 deletions(-)
	14	create mode 100644 ext/spl/tests/bug67538.phpt
	15
	16	diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
	17	index 39a0733..0b44d41 100644
	18	--- a/ext/spl/spl_dllist.c
	19	+++ b/ext/spl/spl_dllist.c
	20	@@ -40,12 +40,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
	21
	22	#define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
	23	efree(elem); \
	24	- elem = NULL; \
	25	}
	26
	27	#define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
	28	efree(elem); \
	29	- elem = NULL; \
	30	}
	31
	32	#define SPL_LLIST_ADDREF(elem) (elem)->rc++
	33	@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
	34	llist->dtor(element TSRMLS_CC);
	35	}
	36
	37	+ if (intern->traverse_pointer == element) {
	38	+ SPL_LLIST_DELREF(element);
	39	+ intern->traverse_pointer = NULL;
	40	+ }
	41	+
	42	zval_ptr_dtor((zval **)&element->data);
	43	element->data = NULL;
	44
	45	diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
	46	new file mode 100644
	47	index 0000000..b6f3848
	48	--- /dev/null
	49	+++ b/ext/spl/tests/bug67538.phpt
	50	@@ -0,0 +1,17 @@
	51	+--TEST--
	52	+Bug #67538 (SPL Iterators use-after-free)
	53	+--FILE--
	54	+<?php
	55	+$list = new SplDoublyLinkedList();
	56	+$list->push('a');
	57	+$list->push('b');
	58	+
	59	+$list->rewind();
	60	+$list->offsetUnset(0);
	61	+$list->push('b');
	62	+$list->offsetUnset(0);
	63	+$list->next();
	64	+echo "okey";
65	+?>
66	+--EXPECTF--
67	+okey
68	--
69	1.9.2
70