Projects
home:rottame:vhosts-ng:php53
php5
php-5.3.29-CVE-2015-0231.patch
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.3.29-CVE-2015-0231.patch of Package php5
diff -Naur php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt --- php-5.3.29-original/ext/standard/tests/strings/bug68710.phpt 1970-01-01 00:00:00.000000000 +0000 +++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt 2015-01-24 14:53:04.321385336 +0000 @@ -0,0 +1,25 @@ +--TEST-- +Bug #68710 Use after free vulnerability in unserialize() (bypassing the +CVE-2014-8142 fix) +--FILE-- +<?php +for ($i=4; $i<100; $i++) { + $m = new StdClass(); + + $u = array(1); + + $m->aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("aaa", "123", $z); + $z = str_replace("bbb", "123", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== diff -Naur php-5.3.29-original/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c --- php-5.3.29-original/ext/standard/var_unserializer.c 2015-01-24 14:50:14.682381430 +0000 +++ php-5.3.29/ext/standard/var_unserializer.c 2015-01-24 14:51:47.623383570 +0000 @@ -298,7 +298,7 @@ } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, diff -Naur php-5.3.29-original/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re --- php-5.3.29-original/ext/standard/var_unserializer.re 2015-01-24 14:50:14.685381430 +0000 +++ php-5.3.29/ext/standard/var_unserializer.re 2015-01-24 14:52:13.191384159 +0000 @@ -304,7 +304,7 @@ } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.