File php-CVE-2016-7125.patch of Package php7

Index: php-7.0.7/ext/session/session.c
===================================================================
--- php-7.0.7.orig/ext/session/session.c	2016-05-25 15:13:38.000000000 +0200
+++ php-7.0.7/ext/session/session.c	2016-09-08 10:15:28.044015765 +0200
@@ -963,11 +963,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /*
 	int namelen;
 	zend_string *name;
 	php_unserialize_data_t var_hash;
+	int skip = 0;
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
 	for (p = val; p < endptr; ) {
 		zval *tmp;
+		skip = 0;
 		namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
 
 		if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
@@ -983,8 +985,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /*
 		if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
 			if ((Z_TYPE_P(tmp) == IS_ARRAY &&
 				Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-				zend_string_release(name);
-				continue;
+				skip = 1;
 			}
 		}
 
@@ -992,8 +993,10 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /*
 			zval *current, rv;
 			current = var_tmp_var(&var_hash);
 			if (php_var_unserialize(current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash)) {
-				ZVAL_PTR(&rv, current);
-				php_set_session_var(name, &rv, &var_hash );
+				if (!skip) {
+					ZVAL_PTR(&rv, current);
+					php_set_session_var(name, &rv, &var_hash );
+				}
 			} else {
 				zend_string_release(name);
 				php_session_normalize_vars();
@@ -1001,7 +1004,9 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /*
 				return FAILURE;
 			}
 		} else {
-			PS_ADD_VARL(name);
+			if (!skip) {
+				PS_ADD_VARL(name);
+			}
 		}
 		zend_string_release(name);
 	}
@@ -1055,6 +1060,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 	zend_string *name;
 	int has_value, retval = SUCCESS;
 	php_unserialize_data_t var_hash;
+	int skip = 0;
 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
@@ -1063,6 +1069,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 	while (p < endptr) {
 		zval *tmp;
 		q = p;
+		skip = 0;
 		while (*q != PS_DELIMITER) {
 			if (++q >= endptr) goto break_outer_loop;
 		}
@@ -1080,7 +1087,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 		if ((tmp = zend_hash_find(&EG(symbol_table), name))) {
 			if ((Z_TYPE_P(tmp) == IS_ARRAY &&
 				Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars)) {
-				goto skip;
+				skip = 1;
 			}
 		}
 
@@ -1088,15 +1095,19 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
 			zval *current, rv;
 			current = var_tmp_var(&var_hash);
 			if (php_var_unserialize(current, (const unsigned char **)&q, (const unsigned char *)endptr, &var_hash)) {
-				ZVAL_PTR(&rv, current);
-				php_set_session_var(name, &rv, &var_hash);
+				if (!skip) {
+					ZVAL_PTR(&rv, current);
+					php_set_session_var(name, &rv, &var_hash);
+				}
 			} else {
 				zend_string_release(name);
 				retval = FAILURE;
 				goto break_outer_loop;
 			}
 		} else {
-			PS_ADD_VARL(name);
+			if (!skip) {
+				PS_ADD_VARL(name);
+			}
 		}
 skip:
 		zend_string_release(name);
openSUSE Build Service is sponsored by