Overview

File php-CVE-2016-10161.patch of Package php7.7220

Index: php-7.0.7/ext/standard/var_unserializer.re
===================================================================
--- php-7.0.7.orig/ext/standard/var_unserializer.re	2017-01-30 17:13:08.073097183 +0100
+++ php-7.0.7/ext/standard/var_unserializer.re	2017-01-30 17:14:02.401845445 +0100
@@ -470,6 +470,11 @@ static inline zend_long object_common1(U
 {
 	zend_long elements;
 
+	if( *p >= max - 2) {
+		zend_error(E_WARNING, "Bad unserialize data");
+		return -1;
+	}
+
 	elements = parse_iv2((*p) + 2, p);
 
 	(*p) += 2;
@@ -480,7 +485,7 @@ static inline zend_long object_common1(U
 		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
 		obviously doesn't descend from the regular serializer. */
 		zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ZSTR_VAL(ce->name));
-		return 0;
+		return -1;
 	}
 
 	return elements;
@@ -785,10 +790,14 @@ use_double:
 }
 
 "o:" iv ":" ["] {
+	long elements;
     if (!var_hash) return 0;
 
-	return object_common2(UNSERIALIZE_PASSTHRU,
-			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
+	elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
+	if (elements < 0) {
+		return 0;
+	}
+	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
 
 object ":" uiv ":" ["]	{
@@ -928,6 +937,11 @@ object ":" uiv ":" ["]	{
 
 	elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
 
+	if (elements < 0) {
+	   efree(class_name);
+	   return 0;
+	}
+
 	if (incomplete_class) {
 		php_store_class_name(rval, ZSTR_VAL(class_name), len2);
 	}
openSUSE Build Service is sponsored by
Places