Mercurial Mercurial > upstream > oracle > userland-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/214_php_19556437.patch
author Craig Mohrman <craig.mohrman@oracle.com>
Thu, 12 Feb 2015 10:14:29 -0800
branchs11-update
changeset 3777 68aef260e079
permissions -rw-r--r--
19838509 upgrade php to version 5.3.29 18857741 problem in UTILITY/PHP 18890894 problem in UTILITY/PHP 18890895 problem in UTILITY/PHP 19003253 problem in UTILITY/PHP 19167518 problem in UTILITY/PHP 19519142 problem in UTILITY/PHP 19556437 problem in UTILITY/PHP 19707971 problem in UTILITY/PHP 19796954 problem in UTILITY/PHP 20258327 problem in UTILITY/PHP 20488612 announce PHP 5.2 EOF in man page
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
3777
68aef260e079 19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff changeset 
     1
 
Fix for CVE-2014-4698
68aef260e079 19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff changeset 
     2
 
Patch:
68aef260e079 19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff changeset 
     3
 
http://git.php.net/?p=php-src.git;a=commitdiff;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd
68aef260e079 19838509 upgrade php to version 5.3.29
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff changeset 
     4
 












68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




     5


Hand crafted patch for php 5.3 from above due to context differences.













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




     6














68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




     7


--- php-5.3.29/ext/spl/spl_array.c_orig	2014-08-13 12:22:50.000000000 -0700













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




     8


+++ php-5.3.29/ext/spl/spl_array.c	2014-11-04 14:31:14.198629945 -0800













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




     9


@@ -1843,6 +1843,7 @@













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    10


 	int buf_len;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    11


 	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(getThis() TSRMLS_CC);













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    12


 	int was_in_unserialize = intern->unserialize_data != NULL;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    13


+	HashTable *aht;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    14


 













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    15


 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    16


 		return;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    17


@@ -1853,6 +1854,12 @@













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    18


 		return;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    19


 	}













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    20


 













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    21


+    aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    22


+	if (aht->nApplyCount > 0) {













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    23


+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    24


+		return;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    25


+	}













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    26


+













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    27


 	if (!was_in_unserialize) {













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    28


 		intern->unserialize_data = emalloc(sizeof(php_unserialize_data_t));













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    29


 		PHP_VAR_UNSERIALIZE_INIT(*intern->unserialize_data);













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    30


--- php-5.3.29/ext/spl/tests/bug67539.phpt_orig	2014-11-04 14:32:52.307769425 -0800













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    31


+++ php-5.3.29/ext/spl/tests/bug67539.phpt	2014-11-04 14:33:24.460710922 -0800













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    32


@@ -0,0 +1,15 @@













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    33


+--TEST--













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    34


+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    35


+--FILE--













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    36


+<?php













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    37


+













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    38


+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    39


+













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    40


+function badsort($a, $b) {













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    41


+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    42


+        return TRUE;













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    43


+}













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    44


+













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    45


+$it->uksort('badsort');













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    46


+--EXPECTF--













68aef260e079
19838509 upgrade php to version 5.3.29



Craig Mohrman <craig.mohrman@oracle.com>


parents: 

diff
changeset




    47


+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d















upstream/oracle/userland-gate