File php-CVE-2016-9934.patch of Package php5.10549

Index: php-5.6.1/ext/pdo/pdo_stmt.c
===================================================================
--- php-5.6.1.orig/ext/pdo/pdo_stmt.c	2014-10-01 11:17:38.000000000 +0200
+++ php-5.6.1/ext/pdo/pdo_stmt.c	2016-12-14 12:31:02.815437269 +0100
@@ -2352,6 +2352,7 @@ void pdo_stmt_init(TSRMLS_D)
 	pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */
 	pdo_row_ce->create_object = pdo_row_new;
 	pdo_row_ce->serialize = pdo_row_serialize;
+	pdo_row_ce->unserialize = zend_class_unserialize_deny;
 }
 
 static void free_statement(pdo_stmt_t *stmt TSRMLS_DC)
Index: php-5.6.1/ext/wddx/wddx.c
===================================================================
--- php-5.6.1.orig/ext/wddx/wddx.c	2016-12-14 12:31:02.771436100 +0100
+++ php-5.6.1/ext/wddx/wddx.c	2016-12-14 12:39:16.440553686 +0100
@@ -471,8 +471,18 @@ static void php_wddx_serialize_object(wd
 	ulong idx;
 	char tmp_buf[WDDX_BUF_LEN];
 	HashTable *objhash, *sleephash;
+	zend_class_entry *ce;
+	PHP_CLASS_ATTRIBUTES;
 	TSRMLS_FETCH();
 
+	PHP_SET_CLASS_ATTRIBUTES(obj);
+	ce = Z_OBJCE_P(obj);
+	if (!ce || ce->serialize || ce->unserialize) {
+	        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name);
+	        PHP_CLEANUP_CLASS_ATTRIBUTES();
+	        return;
+	}
+
 	MAKE_STD_ZVAL(fname);
 	ZVAL_STRING(fname, "__sleep", 1);
 
@@ -482,10 +492,6 @@ static void php_wddx_serialize_object(wd
 	 */
 	if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) {
 		if (retval && (sleephash = HASH_OF(retval))) {
-			PHP_CLASS_ATTRIBUTES;
-			
-			PHP_SET_CLASS_ATTRIBUTES(obj);
-
 			php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
 			snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
 			php_wddx_add_chunk(packet, tmp_buf);
@@ -494,8 +500,6 @@ static void php_wddx_serialize_object(wd
 			php_wddx_add_chunk_static(packet, WDDX_STRING_E);
 			php_wddx_add_chunk_static(packet, WDDX_VAR_E);
 
-			PHP_CLEANUP_CLASS_ATTRIBUTES();
-
 			objhash = HASH_OF(obj);
 			
 			for (zend_hash_internal_pointer_reset(sleephash);
@@ -516,10 +520,6 @@ static void php_wddx_serialize_object(wd
 	} else {
 		uint key_len;
 
-		PHP_CLASS_ATTRIBUTES;
-
-		PHP_SET_CLASS_ATTRIBUTES(obj);
-
 		php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
 		snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
 		php_wddx_add_chunk(packet, tmp_buf);
@@ -528,8 +528,6 @@ static void php_wddx_serialize_object(wd
 		php_wddx_add_chunk_static(packet, WDDX_STRING_E);
 		php_wddx_add_chunk_static(packet, WDDX_VAR_E);
 
-		PHP_CLEANUP_CLASS_ATTRIBUTES();
-		
 		objhash = HASH_OF(obj);
 		for (zend_hash_internal_pointer_reset(objhash);
 			 zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS;
@@ -551,6 +549,8 @@ static void php_wddx_serialize_object(wd
 		php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
 	}
 
+	PHP_CLEANUP_CLASS_ATTRIBUTES();
+
 	zval_dtor(fname);
 	FREE_ZVAL(fname);
 
@@ -1010,25 +1010,30 @@ static void php_wddx_pop_element(void *u
 							pce = &PHP_IC_ENTRY;
 						}
 
-						/* Initialize target object */
-						MAKE_STD_ZVAL(obj);
-						object_init_ex(obj, *pce);
-						
-						/* Merge current hashtable with object's default properties */
-						zend_hash_merge(Z_OBJPROP_P(obj),
-										Z_ARRVAL_P(ent2->data),
-										(void (*)(void *)) zval_add_ref,
-										(void *) &tmp, sizeof(zval *), 0);
-
-						if (incomplete_class) {
-							php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
-						}
-
-						/* Clean up old array entry */
-						zval_ptr_dtor(&ent2->data);
-						
-						/* Set stack entry to point to the newly created object */
-						ent2->data = obj;
+                                                if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) {
+                                                        ent2->data = NULL;
+                                                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data));
+                                                } else {
+                                                        /* Initialize target object */
+                                                        MAKE_STD_ZVAL(obj);
+                                                        object_init_ex(obj, *pce);
+ 
+                                                        /* Merge current hashtable with object's default properties */
+                                                        zend_hash_merge(Z_OBJPROP_P(obj),
+                                                                                        Z_ARRVAL_P(ent2->data),
+                                                                                        (void (*)(void *)) zval_add_ref,
+                                                                                        (void *) &tmp, sizeof(zval *), 0);
+ 
+                                                        if (incomplete_class) {
+                                                                php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
+                                                        }
+ 
+                                                        /* Clean up old array entry */
+                                                        zval_ptr_dtor(&ent2->data);
+ 
+                                                        /* Set stack entry to point to the newly created object */
+                                                        ent2->data = obj;
+                                                }
 						
 						/* Clean up class name var entry */
 						zval_ptr_dtor(&ent1->data);