# HG changeset patch # User Craig Mohrman # Date 1434126350 25200 # Node ID ae2aef15d437f134bd6260badc49a3615cd8c1cf # Parent 9ef7eed37f24a674dd3574854ed09863e901b4e7 20293317 problem in UTILITY/PHP 20433646 problem in UTILITY/PHP diff -r 9ef7eed37f24 -r ae2aef15d437 components/php-5_2/php-sapi/patches/70_php-Zend-zend_ts_hash.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_2/php-sapi/patches/70_php-Zend-zend_ts_hash.patch Fri Jun 12 09:25:50 2015 -0700 @@ -0,0 +1,18 @@ +From php community: +BUG: https://bugs.php.net/bug.php?id=68676 +CODE: http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33 +ee3b841cb +Created this patch based on the community bug/code above. + + +--- php-5.2.17/Zend/zend_ts_hash.c_orig 2015-06-08 09:49:17.630343098 -0700 ++++ php-5.2.17/Zend/zend_ts_hash.c 2015-06-08 09:49:48.515516637 -0700 +@@ -151,7 +151,7 @@ + + #ifdef ZTS + tsrm_mutex_free(ht->mx_reader); +- tsrm_mutex_free(ht->mx_reader); ++ tsrm_mutex_free(ht->mx_writer); + #endif + } + diff -r 9ef7eed37f24 -r ae2aef15d437 components/php-5_3/php-sapi/patches/240_php-Zend-zend_ts_hash.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/240_php-Zend-zend_ts_hash.patch Fri Jun 12 09:25:50 2015 -0700 @@ -0,0 +1,17 @@ +From php community: +BUG: https://bugs.php.net/bug.php?id=68676 +CODE: http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb +Created for php 5.3 based on code from the community bug. + + +--- php-5.3.29/Zend/zend_ts_hash.c_orig 2014-08-13 12:22:50.000000000 -0700 ++++ php-5.3.29/Zend/zend_ts_hash.c 2015-05-20 16:03:20.370320770 -0700 +@@ -151,7 +151,7 @@ + + #ifdef ZTS + tsrm_mutex_free(ht->mx_reader); +- tsrm_mutex_free(ht->mx_reader); ++ tsrm_mutex_free(ht->mx_writer); + #endif + } + diff -r 9ef7eed37f24 -r ae2aef15d437 components/php-5_3/php-sapi/patches/250_php_20433646.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/php-5_3/php-sapi/patches/250_php_20433646.patch Fri Jun 12 09:25:50 2015 -0700 @@ -0,0 +1,56 @@ +From php community: +BUG: https://bugs.php.net/bug.php?id=68710 +CODE: https://github.com/php/php-src/commit/b585a3aed7880a5fa5c18e2b838fc96f40e075bd +Created for php 5.3 based on code from the community bug. + + +--- php-5.3.29/ext/standard/var_unserializer.c_orig 2015-06-03 16:10:58.649025322 -0700 ++++ php-5.3.29/ext/standard/var_unserializer.c 2015-06-03 16:11:38.093987868 -0700 +@@ -298,7 +298,7 @@ + } else { + /* object properties should include no integers */ + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, +--- php-5.3.29/ext/standard/var_unserializer.re_orig 2015-06-03 16:09:21.637872795 -0700 ++++ php-5.3.29/ext/standard/var_unserializer.re 2015-06-03 16:10:05.641543642 -0700 +@@ -304,7 +304,7 @@ + } else { + /* object properties should include no integers */ + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, +--- php-5.3.29/ext/standard/tests/strings/bug68710.phpt_orig 2015-06-03 16:16:50.728789966 -0700 ++++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-06-03 16:12:43.728868416 -0700 +@@ -0,0 +1,25 @@ ++--TEST-- ++Bug #68710 Use after free vulnerability in unserialize() (bypassing the ++CVE-2014-8142 fix) ++--FILE-- ++aaa = array(1,2,&$u,4,5); ++ $m->bbb = 1; ++ $m->ccc = &$u; ++ $m->ddd = str_repeat("A", $i); ++ ++ $z = serialize($m); ++ $z = str_replace("aaa", "123", $z); ++ $z = str_replace("bbb", "123", $z); ++ $y = unserialize($z); ++ $z = serialize($y); ++} ++?> ++===DONE=== ++--EXPECTF-- ++===DONE===