1 diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt
2 --- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt 1970-01-01 00:00:00.000000000 +0000
3 +++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-01-24 14:53:04.321385336 +0000
6 +Bug #68710 Use after free vulnerability in unserialize() (bypassing the
10 +for ($i=4; $i<100; $i++) {
11 + $m = new StdClass();
15 + $m->aaa = array(1,2,&$u,4,5);
18 + $m->ddd = str_repeat("A", $i);
21 + $z = str_replace("aaa", "123", $z);
22 + $z = str_replace("bbb", "123", $z);
23 + $y = unserialize($z);
30 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
31 --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 14:50:14.682381430 +0000
32 +++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 14:51:47.623383570 +0000
35 /* object properties should include no integers */
36 convert_to_string(key);
37 - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
38 + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
39 var_push_dtor(var_hash, old_data);
41 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
42 diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
43 --- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 14:50:14.685381430 +0000
44 +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 14:52:13.191384159 +0000
47 /* object properties should include no integers */
48 convert_to_string(key);
49 - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
50 + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
51 var_push_dtor(var_hash, old_data);
53 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,