|
1 Fix for CVE-2014-4698 |
|
2 Patch: |
|
3 http://git.php.net/?p=php-src.git;a=commitdiff;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd |
|
4 |
|
5 Hand crafted patch for php 5.3 from above due to context differences. |
|
6 |
|
7 --- php-5.3.29/ext/spl/spl_array.c_orig 2014-08-13 12:22:50.000000000 -0700 |
|
8 +++ php-5.3.29/ext/spl/spl_array.c 2014-11-04 14:31:14.198629945 -0800 |
|
9 @@ -1843,6 +1843,7 @@ |
|
10 int buf_len; |
|
11 spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(getThis() TSRMLS_CC); |
|
12 int was_in_unserialize = intern->unserialize_data != NULL; |
|
13 + HashTable *aht; |
|
14 |
|
15 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { |
|
16 return; |
|
17 @@ -1853,6 +1854,12 @@ |
|
18 return; |
|
19 } |
|
20 |
|
21 + aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); |
|
22 + if (aht->nApplyCount > 0) { |
|
23 + zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); |
|
24 + return; |
|
25 + } |
|
26 + |
|
27 if (!was_in_unserialize) { |
|
28 intern->unserialize_data = emalloc(sizeof(php_unserialize_data_t)); |
|
29 PHP_VAR_UNSERIALIZE_INIT(*intern->unserialize_data); |
|
30 --- php-5.3.29/ext/spl/tests/bug67539.phpt_orig 2014-11-04 14:32:52.307769425 -0800 |
|
31 +++ php-5.3.29/ext/spl/tests/bug67539.phpt 2014-11-04 14:33:24.460710922 -0800 |
|
32 @@ -0,0 +1,15 @@ |
|
33 +--TEST-- |
|
34 +Bug #67539 (ArrayIterator use-after-free due to object change during sorting) |
|
35 +--FILE-- |
|
36 +<?php |
|
37 + |
|
38 +$it = new ArrayIterator(array_fill(0,2,'X'), 1 ); |
|
39 + |
|
40 +function badsort($a, $b) { |
|
41 + $GLOBALS['it']->unserialize($GLOBALS['it']->serialize()); |
|
42 + return TRUE; |
|
43 +} |
|
44 + |
|
45 +$it->uksort('badsort'); |
|
46 +--EXPECTF-- |
|
47 +Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d |