Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/220_php_20258327.patch
author Craig Mohrman <craig.mohrman@oracle.com>
Wed, 11 Feb 2015 10:30:02 -0800
branchs11u2-sru
changeset 3810 8421290d92e0
permissions -rw-r--r--
19838509 upgrade php to version 5.3.29 18857741 problem in UTILITY/PHP 18890894 problem in UTILITY/PHP 18890895 problem in UTILITY/PHP 19003253 problem in UTILITY/PHP 19167518 problem in UTILITY/PHP 19519142 problem in UTILITY/PHP 19556437 problem in UTILITY/PHP 19707971 problem in UTILITY/PHP 19796954 problem in UTILITY/PHP 20258327 problem in UTILITY/PHP 20488612 announce PHP 5.2 EOF in man page

Fix from PHP community for CVE-2014-8142
Bug:
https://bugs.php.net/bug.php?id=68594
Code:
http://git.php.net/?p=php-src.git;a=commit;h=630f9c33c23639de85c3fd306b209b538b73b4c9
This patch is for a newer version of php so this hand crafted equivalent
was created for php 5.3.

--- php-5.3.29/ext/standard/var_unserializer.re_orig	2014-08-13 12:22:50.000000000 -0700
+++ php-5.3.29/ext/standard/var_unserializer.re	2015-02-05 14:51:58.796366953 -0800
@@ -304,6 +304,9 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}

--- php-5.3.29/ext/standard/var_unserializer.c_orig	2014-08-13 12:27:30.000000000 -0700
+++ php-5.3.29/ext/standard/var_unserializer.c	2015-02-05 15:20:42.925115687 -0800
@@ -298,6 +298,9 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
+			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+				var_push_dtor(var_hash, old_data);
+			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
 					sizeof data, NULL);
 		}

--- php-5.3.29/ext/standard/tests/serialize/bug68594.phpt_orig	2015-02-05 14:59:34.551069069 -0800
+++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt	2015-02-05 14:54:28.269051205 -0800
@@ -0,0 +1,23 @@
+--TEST--
+Bug #68545 Use after free vulnerability in unserialize()
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+	$m = new StdClass();
+
+	$u = array(1);
+
+	$m->aaa = array(1,2,&$u,4,5);
+	$m->bbb = 1;
+	$m->ccc = &$u;
+	$m->ddd = str_repeat("A", $i);
+
+	$z = serialize($m);
+	$z = str_replace("bbb", "aaa", $z);
+	$y = unserialize($z);
+	$z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
upstream/oracle/userland-gate