Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/250_php_20433646.patch
changeset 4987 6a82655eda42
parent 4986 90a869b3f47a
child 4988 4b69c7c7e09b
equal deleted inserted replaced
4986:90a869b3f47a 4987:6a82655eda42 
     1 From php community:
 
       
     2 BUG: https://bugs.php.net/bug.php?id=68710
 
       
     3 CODE: https://github.com/php/php-src/commit/b585a3aed7880a5fa5c18e2b838fc96f40e075bd
 
       
     4 Created for php 5.3 based on code from the community bug.
 
       
     5 
       
     6 
       
     7 --- php-5.3.29/ext/standard/var_unserializer.c_orig	2015-06-03 16:10:58.649025322 -0700
 
       
     8 +++ php-5.3.29/ext/standard/var_unserializer.c	2015-06-03 16:11:38.093987868 -0700
 
       
     9 @@ -298,7 +298,7 @@
 
       
    10  		} else {
 
       
    11  			/* object properties should include no integers */
 
       
    12  			convert_to_string(key);
 
       
    13 -			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 
       
    14 +			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 
       
    15  				var_push_dtor(var_hash, old_data);
 
       
    16  			}
 
       
    17  			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 
       
    18 --- php-5.3.29/ext/standard/var_unserializer.re_orig	2015-06-03 16:09:21.637872795 -0700
 
       
    19 +++ php-5.3.29/ext/standard/var_unserializer.re	2015-06-03 16:10:05.641543642 -0700
 
       
    20 @@ -304,7 +304,7 @@
 
       
    21  		} else {
 
       
    22  			/* object properties should include no integers */
 
       
    23  			convert_to_string(key);
 
       
    24 -			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 
       
    25 +			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 
       
    26  				var_push_dtor(var_hash, old_data);
 
       
    27  			}
 
       
    28  			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 
       
    29 --- php-5.3.29/ext/standard/tests/strings/bug68710.phpt_orig	2015-06-03 16:16:50.728789966 -0700
 
       
    30 +++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt	2015-06-03 16:12:43.728868416 -0700
 
       
    31 @@ -0,0 +1,25 @@
 
       
    32 +--TEST--
 
       
    33 +Bug #68710 Use after free vulnerability in unserialize() (bypassing the
 
       
    34 +CVE-2014-8142 fix)
 
       
    35 +--FILE--
 
       
    36 +<?php
 
       
    37 +for ($i=4; $i<100; $i++) {
 
       
    38 + $m = new StdClass();
 
       
    39 +
 
       
    40 + $u = array(1);
 
       
    41 +
 
       
    42 + $m->aaa = array(1,2,&$u,4,5);
 
       
    43 + $m->bbb = 1;
 
       
    44 + $m->ccc = &$u;
 
       
    45 + $m->ddd = str_repeat("A", $i);
 
       
    46 +
 
       
    47 + $z = serialize($m);
 
       
    48 + $z = str_replace("aaa", "123", $z);
 
       
    49 + $z = str_replace("bbb", "123", $z);
 
       
    50 + $y = unserialize($z);
 
       
    51 + $z = serialize($y);
 
       
    52 +}
 
       
    53 +?>
 
       
    54 +===DONE===
 
       
    55 +--EXPECTF--
 
       
    56 +===DONE===
upstream/oracle/userland-gate