[packages/php.git] / php-5.3.3-CVE-2014-4698.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:57:42 +0800
Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
 change during sorting)

---
 NEWS                        |  2 ++
 ext/spl/spl_array.c         |  7 +++++++
 ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 ext/spl/tests/bug67539.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 8392e72..0fe47b6 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1661,8 +1661,15 @@
 {
 	const unsigned char *p, *s;
 	zval *pmembers, *pflags = NULL;
+	HashTable *aht;
 	long flags;
 
+	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+	if (aht->nApplyCount > 0) {
+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+		return;
+	}
+
 	/* storage */
 	s = p = buf;
 
diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
new file mode 100644
index 0000000..8bab2a8
--- /dev/null
+++ b/ext/spl/tests/bug67539.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
+--FILE--
+<?php
+
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
+
+function badsort($a, $b) {
+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
+        return TRUE;
+}
+
+$it->uksort('badsort');
+--EXPECTF--
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
-- 
1.9.2
Commit	Line	Data
9fd17760 ER	1	Patch adapted for PHP 5.3.3
	2
	3	Orginal patch:
	4	From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
	5	From: Xinchen Hui <laruence@php.net>
	6	Date: Wed, 2 Jul 2014 17:57:42 +0800
	7	Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
	8	change during sorting)
	9
	10	---
	11	NEWS \| 2 ++
	12	ext/spl/spl_array.c \| 7 +++++++
	13	ext/spl/tests/bug67539.phpt \| 15 +++++++++++++++
	14	3 files changed, 24 insertions(+)
	15	create mode 100644 ext/spl/tests/bug67539.phpt
	16
	17	diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
	18	index 8392e72..0fe47b6 100644
	19	--- a/ext/spl/spl_array.c
	20	+++ b/ext/spl/spl_array.c
	21	@@ -1661,8 +1661,15 @@
	22	{
	23	const unsigned char p, s;
	24	zval pmembers, pflags = NULL;
	25	+ HashTable *aht;
	26	long flags;
	27
	28	+ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
	29	+ if (aht->nApplyCount > 0) {
	30	+ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
	31	+ return;
	32	+ }
	33	+
	34	/* storage */
	35	s = p = buf;
	36
	37	diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
	38	new file mode 100644
	39	index 0000000..8bab2a8
	40	--- /dev/null
	41	+++ b/ext/spl/tests/bug67539.phpt
	42	@@ -0,0 +1,15 @@
	43	+--TEST--
	44	+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
	45	+--FILE--
	46	+<?php
	47	+
	48	+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
	49	+
	50	+function badsort($a, $b) {
	51	+ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
	52	+ return TRUE;
	53	+}
	54	+
	55	+$it->uksort('badsort');
	56	+--EXPECTF--
	57	+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
	58	--
	59	1.9.2
	60