File php-CVE-2016-9934.patch of Package php7.5285
Index: php-7.0.7/ext/pdo/pdo_stmt.c
===================================================================
--- php-7.0.7.orig/ext/pdo/pdo_stmt.c 2016-05-25 15:13:50.000000000 +0200
+++ php-7.0.7/ext/pdo/pdo_stmt.c 2016-12-14 12:16:21.768022203 +0100
@@ -2299,6 +2299,7 @@ void pdo_stmt_init(void)
pdo_row_ce->ce_flags |= ZEND_ACC_FINAL; /* when removing this a lot of handlers need to be redone */
pdo_row_ce->create_object = pdo_row_new;
pdo_row_ce->serialize = pdo_row_serialize;
+ pdo_row_ce->unserialize = zend_class_unserialize_deny;
}
PDO_API void php_pdo_free_statement(pdo_stmt_t *stmt)
Index: php-7.0.7/ext/wddx/wddx.c
===================================================================
--- php-7.0.7.orig/ext/wddx/wddx.c 2016-12-14 12:16:21.772022309 +0100
+++ php-7.0.7/ext/wddx/wddx.c 2016-12-14 12:26:54.232829950 +0100
@@ -448,6 +448,16 @@ static void php_wddx_serialize_object(wd
zend_ulong idx;
char tmp_buf[WDDX_BUF_LEN];
HashTable *objhash, *sleephash;
+ zend_class_entry *ce;
+ PHP_CLASS_ATTRIBUTES;
+
+ PHP_SET_CLASS_ATTRIBUTES(obj);
+ ce = Z_OBJCE_P(obj);
+ if (!ce || ce->serialize || ce->unserialize) {
+ php_error_docref(NULL, E_WARNING, "Class %s can not be serialized", ZSTR_VAL(class_name));
+ PHP_CLEANUP_CLASS_ATTRIBUTES();
+ return;
+ }
ZVAL_STRING(&fname, "__sleep");
/*
@@ -468,8 +478,6 @@ static void php_wddx_serialize_object(wd
php_wddx_add_chunk_static(packet, WDDX_STRING_E);
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
- PHP_CLEANUP_CLASS_ATTRIBUTES();
-
objhash = Z_OBJPROP_P(obj);
ZEND_HASH_FOREACH_VAL(sleephash, varname) {
@@ -486,10 +494,6 @@ static void php_wddx_serialize_object(wd
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
}
} else {
- PHP_CLASS_ATTRIBUTES;
-
- PHP_SET_CLASS_ATTRIBUTES(obj);
-
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
php_wddx_add_chunk(packet, tmp_buf);
@@ -498,8 +502,6 @@ static void php_wddx_serialize_object(wd
php_wddx_add_chunk_static(packet, WDDX_STRING_E);
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
- PHP_CLEANUP_CLASS_ATTRIBUTES();
-
objhash = Z_OBJPROP_P(obj);
ZEND_HASH_FOREACH_KEY_VAL(objhash, idx, key, ent) {
if (ent == obj) {
@@ -523,6 +525,8 @@ static void php_wddx_serialize_object(wd
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
}
+ PHP_CLEANUP_CLASS_ATTRIBUTES();
+
zval_ptr_dtor(&fname);
zval_ptr_dtor(&retval);
}
@@ -941,23 +945,28 @@ static void php_wddx_pop_element(void *u
pce = PHP_IC_ENTRY;
}
- /* Initialize target object */
- object_init_ex(&obj, pce);
-
- /* Merge current hashtable with object's default properties */
- zend_hash_merge(Z_OBJPROP(obj),
- Z_ARRVAL(ent2->data),
- zval_add_ref, 0);
-
- if (incomplete_class) {
- php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
- }
-
- /* Clean up old array entry */
- zval_ptr_dtor(&ent2->data);
-
- /* Set stack entry to point to the newly created object */
- ZVAL_COPY_VALUE(&ent2->data, &obj);
+ if (pce != PHP_IC_ENTRY && (pce->serialize || pce->unserialize)) {
+ ZVAL_UNDEF(&ent2->data);
+ php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
+ } else {
+ /* Initialize target object */
+ object_init_ex(&obj, pce);
+
+ /* Merge current hashtable with object's default properties */
+ zend_hash_merge(Z_OBJPROP(obj),
+ Z_ARRVAL(ent2->data),
+ zval_add_ref, 0);
+
+ if (incomplete_class) {
+ php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+ }
+
+ /* Clean up old array entry */
+ zval_ptr_dtor(&ent2->data);
+
+ /* Set stack entry to point to the newly created object */
+ ZVAL_COPY_VALUE(&ent2->data, &obj);
+ }
/* Clean up class name var entry */
zval_ptr_dtor(&ent1->data);
