upstream/oracle/userland-gate: components/php/php56/patches/CVE-2015-6831

5116 867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	1	# Source: upstream
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	2	# http://git.php.net/?p=php-src.git;a=commit;h=863bf294feb9ad425eadb94f288bc7f18673089d
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	3	# https://bugs.php.net/bug.php?id=70169
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	4
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	5	From 863bf294feb9ad425eadb94f288bc7f18673089d Mon Sep 17 00:00:00 2001
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	6	From: Stanislav Malyshev <[email protected]>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	7	Date: Sat, 1 Aug 2015 21:51:08 -0700
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	8	Subject: [PATCH] Fixed bug #70169 (Use After Free Vulnerability in
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	9	unserialize() with SplDoublyLinkedList)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	10
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	11	---
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	12	ext/spl/spl_dllist.c \| 25 +++++++++++++------------
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	13	ext/spl/tests/bug70169.phpt \| 30 ++++++++++++++++++++++++++++++
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	14	2 files changed, 43 insertions(+), 12 deletions(-)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	15	create mode 100644 ext/spl/tests/bug70169.phpt
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	16
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	17	diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	18	index b5ddfc0..011d7a6 100644
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	19	--- a/ext/spl/spl_dllist.c
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	20	+++ b/ext/spl/spl_dllist.c
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	21	@@ -500,7 +500,7 @@ static int spl_dllist_object_count_elements(zval object, long count TSRMLS_DC)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	22
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	23	*count = spl_ptr_llist_count(intern->llist);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	24	return SUCCESS;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	25	-}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	26	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	27	/* }}} */
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	28
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	29	static HashTable* spl_dllist_object_get_debug_info(zval obj, int is_temp TSRMLS_DC) /* {{{{ */
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	30	@@ -571,7 +571,7 @@ SPL_METHOD(SplDoublyLinkedList, push)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	31	spl_ptr_llist_push(intern->llist, value TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	32
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	33	RETURN_TRUE;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	34	-}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	35	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	36	/* }}} */
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	37
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	38	/* {{{ proto bool SplDoublyLinkedList::unshift(mixed $value) U
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	39	@@ -614,7 +614,7 @@ SPL_METHOD(SplDoublyLinkedList, pop)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	40	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	41
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	42	RETURN_ZVAL(value, 1, 1);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	43	-}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	44	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	45	/* }}} */
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	46
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	47	/* {{{ proto mixed SplDoublyLinkedList::shift() U
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	48	@@ -637,7 +637,7 @@ SPL_METHOD(SplDoublyLinkedList, shift)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	49	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	50
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	51	RETURN_ZVAL(value, 1, 1);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	52	-}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	53	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	54	/* }}} */
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	55
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	56	/* {{{ proto mixed SplDoublyLinkedList::top() U
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	57	@@ -1051,7 +1051,7 @@ static void spl_dllist_it_move_forward(zend_object_iterator iter TSRMLS_DC) /
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	58	SPL_METHOD(SplDoublyLinkedList, key)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	59	{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	60	spl_dllist_object intern = (spl_dllist_object)zend_object_store_get_object(getThis() TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	61	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	62	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	63	if (zend_parse_parameters_none() == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	64	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	65	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	66	@@ -1065,7 +1065,7 @@ SPL_METHOD(SplDoublyLinkedList, key)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	67	SPL_METHOD(SplDoublyLinkedList, prev)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	68	{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	69	spl_dllist_object intern = (spl_dllist_object)zend_object_store_get_object(getThis() TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	70	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	71	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	72	if (zend_parse_parameters_none() == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	73	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	74	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	75	@@ -1079,7 +1079,7 @@ SPL_METHOD(SplDoublyLinkedList, prev)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	76	SPL_METHOD(SplDoublyLinkedList, next)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	77	{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	78	spl_dllist_object intern = (spl_dllist_object)zend_object_store_get_object(getThis() TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	79	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	80	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	81	if (zend_parse_parameters_none() == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	82	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	83	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	84	@@ -1093,7 +1093,7 @@ SPL_METHOD(SplDoublyLinkedList, next)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	85	SPL_METHOD(SplDoublyLinkedList, valid)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	86	{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	87	spl_dllist_object intern = (spl_dllist_object)zend_object_store_get_object(getThis() TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	88	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	89	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	90	if (zend_parse_parameters_none() == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	91	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	92	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	93	@@ -1107,7 +1107,7 @@ SPL_METHOD(SplDoublyLinkedList, valid)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	94	SPL_METHOD(SplDoublyLinkedList, rewind)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	95	{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	96	spl_dllist_object intern = (spl_dllist_object)zend_object_store_get_object(getThis() TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	97	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	98	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	99	if (zend_parse_parameters_none() == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	100	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	101	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	102	@@ -1122,7 +1122,7 @@ SPL_METHOD(SplDoublyLinkedList, current)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	103	{
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	104	spl_dllist_object intern = (spl_dllist_object)zend_object_store_get_object(getThis() TSRMLS_CC);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	105	spl_ptr_llist_element *element = intern->traverse_pointer;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	106	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	107	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	108	if (zend_parse_parameters_none() == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	109	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	110	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	111	@@ -1177,7 +1177,7 @@ SPL_METHOD(SplDoublyLinkedList, serialize)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	112	} else {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	113	RETURN_NULL();
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	114	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	115	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	116	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	117	} /* }}} */
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	118
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	119	/* {{{ proto void SplDoublyLinkedList::unserialize(string serialized)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	120	@@ -1190,7 +1190,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	121	int buf_len;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	122	const unsigned char p, s;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	123	php_unserialize_data_t var_hash;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	124	-
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	125	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	126	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	127	return;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	128	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	129	@@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	130	zval_ptr_dtor(&flags);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	131	goto error;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	132	}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	133	+ var_push_dtor(&var_hash, &flags);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	134	intern->flags = Z_LVAL_P(flags);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	135	zval_ptr_dtor(&flags);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	136
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	137	diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	138	new file mode 100644
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	139	index 0000000..9d814be
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	140	--- /dev/null
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	141	+++ b/ext/spl/tests/bug70169.phpt
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	142	@@ -0,0 +1,30 @@
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	143	+--TEST--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	144	+SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	145	+--FILE--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	146	+<?php
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	147	+$inner = 'i:1;';
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	148	+$exploit = 'a:2:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	149	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	150	+$data = unserialize($exploit);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	151	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	152	+for($i = 0; $i < 5; $i++) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	153	+ $v[$i] = 'hi'.$i;
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	154	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	155	+
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	156	+var_dump($data);
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	157	+?>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	158	+===DONE===
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	159	+--EXPECTF--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	160	+array(2) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	161	+ [0]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	162	+ object(SplDoublyLinkedList)#%d (2) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	163	+ ["flags":"SplDoublyLinkedList":private]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	164	+ int(1)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	165	+ ["dllist":"SplDoublyLinkedList":private]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	166	+ array(0) {
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	167	+ }
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	168	+ }
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	169	+ [1]=>
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	170	+ int(1)
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	171	+}
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	172	+===DONE===
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	173	--
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	174	2.1.4
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	175
867d838118ad 22244227 problem in UTILITY/PHP Michael Nestler <Michael.Nestler@Oracle.COM> parents: diff changeset	176

author	Michael Nestler <Michael.Nestler@Oracle.COM>
	Thu, 19 Nov 2015 22:52:15 -0800
changeset 5116	867d838118ad
permissions	-rw-r--r--