equal
deleted
inserted
replaced
|
1 Fix for CVE-2014-4670 |
|
2 Patch: |
|
3 http://git.php.net/?p=php-src.git;a=commitdiff;h=df78c48354f376cf419d7a97f88ca07d572f00fb |
|
4 |
|
5 |
|
6 Fixed Bug #67538 (SPL Iterators use-after-free) |
|
7 --- |
|
8 |
|
9 diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c |
|
10 index 39a0733..0b44d41 100644 |
|
11 --- a/ext/spl/spl_dllist.c |
|
12 +++ b/ext/spl/spl_dllist.c |
|
13 @@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack; |
|
14 |
|
15 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \ |
|
16 efree(elem); \ |
|
17 - elem = NULL; \ |
|
18 } |
|
19 |
|
20 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \ |
|
21 efree(elem); \ |
|
22 - elem = NULL; \ |
|
23 } |
|
24 |
|
25 #define SPL_LLIST_ADDREF(elem) (elem)->rc++ |
|
26 @@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) |
|
27 llist->dtor(element TSRMLS_CC); |
|
28 } |
|
29 |
|
30 + if (intern->traverse_pointer == element) { |
|
31 + SPL_LLIST_DELREF(element); |
|
32 + intern->traverse_pointer = NULL; |
|
33 + } |
|
34 + |
|
35 zval_ptr_dtor((zval **)&element->data); |
|
36 element->data = NULL; |
|
37 |
|
38 diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt |
|
39 new file mode 100644 |
|
40 index 0000000..b6f3848 |
|
41 --- /dev/null |
|
42 +++ b/ext/spl/tests/bug67538.phpt |
|
43 @@ -0,0 +1,17 @@ |
|
44 +--TEST-- |
|
45 +Bug #67538 (SPL Iterators use-after-free) |
|
46 +--FILE-- |
|
47 +<?php |
|
48 +$list = new SplDoublyLinkedList(); |
|
49 +$list->push('a'); |
|
50 +$list->push('b'); |
|
51 + |
|
52 +$list->rewind(); |
|
53 +$list->offsetUnset(0); |
|
54 +$list->push('b'); |
|
55 +$list->offsetUnset(0); |
|
56 +$list->next(); |
|
57 +echo "okey"; |
|
58 +?> |
|
59 +--EXPECTF-- |
|
60 +okey |