Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php/php56/patches/CVE-2015-6832.patch
changeset 5116 867d838118ad
equal deleted inserted replaced
5115:9c865404b7f5 5116:867d838118ad 
       
     1 # Source: upstream
 
       
     2 # http://git.php.net/?p=php-src.git;a=commit;h=b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2
 
       
     3 # https://bugs.php.net/bug.php?id=70068
 
       
     4 # Patch cleaned up
 
       
     5 
       
     6 From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001
 
       
     7 From: Stanislav Malyshev <[email protected]>
 
       
     8 Date: Sun, 26 Jul 2015 17:25:25 -0700
 
       
     9 Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of
 
       
    10  ArrayObject items)
 
       
    11 
       
    12 ---
 
       
    13  ext/spl/spl_array.c         | 90 +++++++++++++++++++++++----------------------
 
       
    14  ext/spl/tests/bug70068.phpt |  9 +++++
 
       
    15  2 files changed, 56 insertions(+), 43 deletions(-)
 
       
    16  create mode 100644 ext/spl/tests/bug70068.phpt
 
       
    17 
       
    18 diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
 
       
    19 index ec9ce21..a37eced 100644
 
       
    20 @@ -1774,13 +1774,11 @@ SPL_METHOD(Array, unserialize)
 
       
    21  
       
    22  	ALLOC_INIT_ZVAL(pflags);
 
       
    23  	if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
 
       
    24 -		zval_ptr_dtor(&pflags);
 
       
    25  		goto outexcept;
 
       
    26  	}
 
       
    27  
       
    28  	--p; /* for ';' */
 
       
    29  	flags = Z_LVAL_P(pflags);
 
       
    30 -	zval_ptr_dtor(&pflags);
 
       
    31  	/* flags needs to be verified and we also need to verify whether the next
 
       
    32  	 * thing we get is ';'. After that we require an 'm' or somethign else
 
       
    33  	 * where 'm' stands for members and anything else should be an array. If
 
       
    34 @@ -1830,10 +1828,16 @@ SPL_METHOD(Array, unserialize)
 
       
    35  	/* done reading $serialized */
 
       
    36  
       
    37  	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 
       
    38 +	if (pflags) {
 
       
    39 +		zval_ptr_dtor(&pflags);
 
       
    40 +	}
 
       
    41  	return;
 
       
    42  
       
    43  outexcept:
 
       
    44  	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 
       
    45 +	if (pflags) {
 
       
    46 +		zval_ptr_dtor(&pflags);
 
       
    47 +	}
 
       
    48  	zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
 
       
    49  	return;
 
       
    50  
       
    51 diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
 
       
    52 new file mode 100644
 
       
    53 index 0000000..92a38df
 
       
    54 --- /dev/null
 
       
    55 +++ b/ext/spl/tests/bug70068.phpt
 
       
    56 @@ -0,0 +1,9 @@
 
       
    57 +--TEST--
 
       
    58 +Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
 
       
    59 +--FILE--
 
       
    60 +<?php
 
       
    61 +$a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
 
       
    62 +?>
 
       
    63 +OK
 
       
    64 +--EXPECT--
 
       
    65 +OK
 
       
    66 \ No newline at end of file
 
       
    67 -- 
       
    68 2.1.4
 
       
    69 
       
    70
upstream/oracle/userland-gate