php-5.3.29-CVE-2015-0231.patch

   1 diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt
   2 --- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt        1970-01-01 00:00:00.000000000 +0000
   3 +++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-01-24 14:53:04.321385336 +0000
   4 @@ -0,0 +1,25 @@
   5 +--TEST--
   6 +Bug #68710 Use after free vulnerability in unserialize() (bypassing the
   7 +CVE-2014-8142 fix)
   8 +--FILE--
   9 +<?php
  10 +for ($i=4; $i<100; $i++) {
  11 +    $m = new StdClass();
  12 +
  13 +    $u = array(1);
  14 +
  15 +    $m->aaa = array(1,2,&$u,4,5);
  16 +    $m->bbb = 1;
  17 +    $m->ccc = &$u;
  18 +    $m->ddd = str_repeat("A", $i);
  19 +
  20 +    $z = serialize($m);
  21 +    $z = str_replace("aaa", "123", $z);
  22 +    $z = str_replace("bbb", "123", $z);
  23 +    $y = unserialize($z);
  24 +    $z = serialize($y);
  25 +}
  26 +?>
  27 +===DONE===
  28 +--EXPECTF--
  29 +===DONE===
  30 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
  31 --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 14:50:14.682381430 +0000
  32 +++ php-5.3.29/ext/standard/var_unserializer.c  2015-01-24 14:51:47.623383570 +0000
  33 @@ -298,7 +298,7 @@
  34                 } else {
  35                         /* object properties should include no integers */
  36                         convert_to_string(key);
  37 -                       if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
  38 +                       if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
  39                                 var_push_dtor(var_hash, old_data);
  40                         }
  41                         zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
  42 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
  43 --- php-5.3.29-original/ext/standard/var_unserializer.re        2015-01-24 14:50:14.685381430 +0000
  44 +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 14:52:13.191384159 +0000
  45 @@ -304,7 +304,7 @@
  46                 } else {
  47                         /* object properties should include no integers */
  48                         convert_to_string(key);
  49 -                       if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
  50 +                       if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
  51                                 var_push_dtor(var_hash, old_data);
  52                         }
  53                         zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,