File php-5.3.3-CVE-2014-4698.patch of Package php5

Patch adapted for PHP 5.3.3

Orginal patch:
From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:57:42 +0800
Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
 change during sorting)

---
 NEWS                        |  2 ++
 ext/spl/spl_array.c         |  7 +++++++
 ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 ext/spl/tests/bug67539.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 8392e72..0fe47b6 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1661,8 +1661,15 @@
 {
 	const unsigned char *p, *s;
 	zval *pmembers, *pflags = NULL;
+	HashTable *aht;
 	long flags;
 
+	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+	if (aht->nApplyCount > 0) {
+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+		return;
+	}
+
 	/* storage */
 	s = p = buf;
 
diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
new file mode 100644
index 0000000..8bab2a8
--- /dev/null
+++ b/ext/spl/tests/bug67539.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
+--FILE--
+<?php
+
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
+
+function badsort($a, $b) {
+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
+        return TRUE;
+}
+
+$it->uksort('badsort');
+--EXPECTF--
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
-- 
1.9.2