moved C: logrotate to proper subpackage (containing logrotate file)

[packages/php.git] / php-5.3.3-CVE-2014-4670.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:45:09 +0800
Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)

---
 NEWS                        |  3 +++
 ext/spl/spl_dllist.c        |  7 +++++--
 ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/bug67538.phpt

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 39a0733..0b44d41 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -40,12 +40,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 
 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
                        llist->dtor(element TSRMLS_CC);
                }
 
+               if (intern->traverse_pointer == element) {
+                       SPL_LLIST_DELREF(element);
+                       intern->traverse_pointer = NULL;
+               }
+
                zval_ptr_dtor((zval **)&element->data);
                element->data = NULL;
 
diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
new file mode 100644
index 0000000..b6f3848
--- /dev/null
+++ b/ext/spl/tests/bug67538.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #67538 (SPL Iterators use-after-free)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->push('a');
+$list->push('b');
+
+$list->rewind();
+$list->offsetUnset(0);
+$list->push('b');
+$list->offsetUnset(0);
+$list->next();
+echo "okey";
+?>
+--EXPECTF--
+okey
-- 
1.9.2