| author | Craig Mohrman <craig.mohrman@oracle.com> |
| Thu, 12 Feb 2015 10:14:29 -0800 | |
| branch | s11-update |
| changeset 3777 | 68aef260e079 |
| permissions | -rw-r--r-- |
|
3777
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
1 |
Fix for CVE-2014-4670 |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
2 |
Patch: |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
3 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=df78c48354f376cf419d7a97f88ca07d572f00fb |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
4 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
5 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
6 |
Fixed Bug #67538 (SPL Iterators use-after-free) |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
7 |
--- |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
8 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
9 |
diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
10 |
index 39a0733..0b44d41 100644 |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
11 |
--- a/ext/spl/spl_dllist.c |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
12 |
+++ b/ext/spl/spl_dllist.c |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
13 |
@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack; |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
14 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
15 |
#define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
16 |
efree(elem); \ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
17 |
- elem = NULL; \ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
18 |
} |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
19 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
20 |
#define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
21 |
efree(elem); \ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
22 |
- elem = NULL; \ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
23 |
} |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
24 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
25 |
#define SPL_LLIST_ADDREF(elem) (elem)->rc++ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
26 |
@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
27 |
llist->dtor(element TSRMLS_CC); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
28 |
} |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
29 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
30 |
+ if (intern->traverse_pointer == element) {
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
31 |
+ SPL_LLIST_DELREF(element); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
32 |
+ intern->traverse_pointer = NULL; |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
33 |
+ } |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
34 |
+ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
35 |
zval_ptr_dtor((zval **)&element->data); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
36 |
element->data = NULL; |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
37 |
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
38 |
diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
39 |
new file mode 100644 |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
40 |
index 0000000..b6f3848 |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
41 |
--- /dev/null |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
42 |
+++ b/ext/spl/tests/bug67538.phpt |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
43 |
@@ -0,0 +1,17 @@ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
44 |
+--TEST-- |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
45 |
+Bug #67538 (SPL Iterators use-after-free) |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
46 |
+--FILE-- |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
47 |
+<?php |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
48 |
+$list = new SplDoublyLinkedList(); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
49 |
+$list->push('a');
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
50 |
+$list->push('b');
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
51 |
+ |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
52 |
+$list->rewind(); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
53 |
+$list->offsetUnset(0); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
54 |
+$list->push('b');
|
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
55 |
+$list->offsetUnset(0); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
56 |
+$list->next(); |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
57 |
+echo "okey"; |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
58 |
+?> |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
59 |
+--EXPECTF-- |
|
68aef260e079
19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
60 |
+okey |