]> git.pld-linux.org Git - packages/php.git/blob - php-5.3.29-CVE-2014-8142.patch
projects / packages / php.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
moved C: logrotate to proper subpackage (containing logrotate file)
[packages/php.git] / php-5.3.29-CVE-2014-8142.patch
1 diff -Naur php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt php-5.3.29/ext/standard/tests/serialize/bug68594.phpt
2 --- php-5.3.29-original/ext/standard/tests/serialize/bug68594.phpt      1970-01-01 00:00:00.000000000 +0000
3 +++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt       2015-01-24 13:14:16.222248839 +0000
4 @@ -0,0 +1,23 @@
5 +--TEST--
6 +Bug #68545 Use after free vulnerability in unserialize()
7 +--FILE--
8 +<?php
9 +for ($i=4; $i<100; $i++) {
10 +       $m = new StdClass();
11 +
12 +       $u = array(1);
13 +
14 +       $m->aaa = array(1,2,&$u,4,5);
15 +       $m->bbb = 1;
16 +       $m->ccc = &$u;
17 +       $m->ddd = str_repeat("A", $i);
18 +
19 +       $z = serialize($m);
20 +       $z = str_replace("bbb", "aaa", $z);
21 +       $y = unserialize($z);
22 +       $z = serialize($y);
23 +}
24 +?>
25 +===DONE===
26 +--EXPECTF--
27 +===DONE===
28 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
29 --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 13:05:17.310236430 +0000
30 +++ php-5.3.29/ext/standard/var_unserializer.c  2015-01-24 13:09:14.269241886 +0000
31 @@ -298,6 +298,9 @@
32                 } else {
33                         /* object properties should include no integers */
34                         convert_to_string(key);
35 +                       if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
36 +                               var_push_dtor(var_hash, old_data);
37 +                       }
38                         zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
39                                         sizeof data, NULL);
40                 }
41 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
42 --- php-5.3.29-original/ext/standard/var_unserializer.re        2015-01-24 13:05:17.310236430 +0000
43 +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 13:07:59.593240167 +0000
44 @@ -304,6 +304,9 @@
45                 } else {
46                         /* object properties should include no integers */
47                         convert_to_string(key);
48 +                       if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
49 +                               var_push_dtor(var_hash, old_data);
50 +                       }
51                         zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
52                                         sizeof data, NULL);
53                 }
PHP: Hypertext Preprocessor
This page took 0.035465 seconds and 3 git commands to generate.