--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/214_php_19556437.patch Thu Feb 12 10:14:29 2015 -0800
@@ -0,0 +1,47 @@
+Fix for CVE-2014-4698
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd
+
+Hand crafted patch for php 5.3 from above due to context differences.
+
+--- php-5.3.29/ext/spl/spl_array.c_orig 2014-08-13 12:22:50.000000000 -0700
++++ php-5.3.29/ext/spl/spl_array.c 2014-11-04 14:31:14.198629945 -0800
+@@ -1843,6 +1843,7 @@
+ int buf_len;
+ spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
+ int was_in_unserialize = intern->unserialize_data != NULL;
++ HashTable *aht;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
+ return;
+@@ -1853,6 +1854,12 @@
+ return;
+ }
+
++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
++ if (aht->nApplyCount > 0) {
++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
++ return;
++ }
++
+ if (!was_in_unserialize) {
+ intern->unserialize_data = emalloc(sizeof(php_unserialize_data_t));
+ PHP_VAR_UNSERIALIZE_INIT(*intern->unserialize_data);
+--- php-5.3.29/ext/spl/tests/bug67539.phpt_orig 2014-11-04 14:32:52.307769425 -0800
++++ php-5.3.29/ext/spl/tests/bug67539.phpt 2014-11-04 14:33:24.460710922 -0800
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
++--FILE--
++<?php
++
++$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
++
++function badsort($a, $b) {
++ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
++ return TRUE;
++}
++
++$it->uksort('badsort');
++--EXPECTF--
++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d