|
1 CVE-2014-3669 |
|
2 Community BUG: |
|
3 https://bugs.php.net/bug.php?id=68044 |
|
4 Community CODE: |
|
5 http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159 |
|
6 Below is the community patch. |
|
7 |
|
8 |
|
9 |
|
10 From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001 |
|
11 From: Stanislav Malyshev <[email protected]> |
|
12 Date: Sun, 28 Sep 2014 14:19:31 -0700 |
|
13 Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits |
|
14 only) |
|
15 |
|
16 --- |
|
17 NEWS | 5 ++++- |
|
18 ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++ |
|
19 ext/standard/var_unserializer.c | 4 ++-- |
|
20 ext/standard/var_unserializer.re | 2 +- |
|
21 4 files changed, 19 insertions(+), 4 deletions(-) |
|
22 create mode 100644 ext/standard/tests/serialize/bug68044.phpt |
|
23 |
|
24 diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt |
|
25 new file mode 100644 |
|
26 index 0000000..031e44e |
|
27 --- /dev/null |
|
28 +++ b/ext/standard/tests/serialize/bug68044.phpt |
|
29 @@ -0,0 +1,12 @@ |
|
30 +--TEST-- |
|
31 +Bug #68044 Integer overflow in unserialize() (32-bits only) |
|
32 +--FILE-- |
|
33 +<?php |
|
34 + echo unserialize('C:3:"XYZ":18446744075857035259:{}'); |
|
35 +?> |
|
36 +===DONE== |
|
37 +--EXPECTF-- |
|
38 +Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 |
|
39 + |
|
40 +Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 |
|
41 +===DONE== |
|
42 diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c |
|
43 index 657051f..8129da3 100644 |
|
44 --- a/ext/standard/var_unserializer.c |
|
45 +++ b/ext/standard/var_unserializer.c |
|
46 @@ -372,7 +372,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) |
|
47 |
|
48 (*p) += 2; |
|
49 |
|
50 - if (datalen < 0 || (*p) + datalen >= max) { |
|
51 + if (datalen < 0 || (max - (*p)) <= datalen) { |
|
52 zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); |
|
53 return 0; |
|
54 } |
|
55 diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re |
|
56 index 1307508..6de1583 100644 |
|
57 --- a/ext/standard/var_unserializer.re |
|
58 +++ b/ext/standard/var_unserializer.re |
|
59 @@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) |
|
60 |
|
61 (*p) += 2; |
|
62 |
|
63 - if (datalen < 0 || (*p) + datalen >= max) { |
|
64 + if (datalen < 0 || (max - (*p)) <= datalen) { |
|
65 zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); |
|
66 return 0; |
|
67 } |
|
68 -- |
|
69 2.1.4 |
|
70 |