Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/220_php_20258327.patch
changeset 3745 9d42081739cf 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/220_php_20258327.patch	Fri Feb 06 14:28:07 2015 -0800
@@ -0,0 +1,60 @@
+Fix from PHP community for CVE-2014-8142
+Bug:
+https://bugs.php.net/bug.php?id=68594
+Code:
+http://git.php.net/?p=php-src.git;a=commit;h=630f9c33c23639de85c3fd306b209b538b73b4c9
+This patch is for a newer version of php so this hand crafted equivalent
+was created for php 5.3.
+
+--- php-5.3.29/ext/standard/var_unserializer.re_orig	2014-08-13 12:22:50.000000000 -0700
++++ php-5.3.29/ext/standard/var_unserializer.re	2015-02-05 14:51:58.796366953 -0800
+@@ -304,6 +304,9 @@
+ 		} else {
+ 			/* object properties should include no integers */
+ 			convert_to_string(key);
++			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++				var_push_dtor(var_hash, old_data);
++			}
+ 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ 					sizeof data, NULL);
+ 		}
+
+--- php-5.3.29/ext/standard/var_unserializer.c_orig	2014-08-13 12:27:30.000000000 -0700
++++ php-5.3.29/ext/standard/var_unserializer.c	2015-02-05 15:20:42.925115687 -0800
+@@ -298,6 +298,9 @@
+ 		} else {
+ 			/* object properties should include no integers */
+ 			convert_to_string(key);
++			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++				var_push_dtor(var_hash, old_data);
++			}
+ 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ 					sizeof data, NULL);
+ 		}
+
+--- php-5.3.29/ext/standard/tests/serialize/bug68594.phpt_orig	2015-02-05 14:59:34.551069069 -0800
++++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt	2015-02-05 14:54:28.269051205 -0800
+@@ -0,0 +1,23 @@
++--TEST--
++Bug #68545 Use after free vulnerability in unserialize()
++--FILE--
++<?php
++for ($i=4; $i<100; $i++) {
++	$m = new StdClass();
++
++	$u = array(1);
++
++	$m->aaa = array(1,2,&$u,4,5);
++	$m->bbb = 1;
++	$m->ccc = &$u;
++	$m->ddd = str_repeat("A", $i);
++
++	$z = serialize($m);
++	$z = str_replace("bbb", "aaa", $z);
++	$y = unserialize($z);
++	$z = serialize($y);
++}
++?>
++===DONE===
++--EXPECTF--
++===DONE===
upstream/oracle/userland-gate