File php-CVE-2015-6831.patch of Package php5.11538
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=86608c0d5296616327c50d93fe280d03b5dbba4a;hp=a37eced00253e005366a7d5087e174572b28e547;hb=7381b6accc5559b2de039af3a22f6ec1003b03b3;hpb=c7d3c027d5ce45c96c8450a7f074ab2dfbcaa0c4
Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/spl/spl_array.c 2015-08-20 09:16:26.594618824 +0200
@@ -1774,6 +1774,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pflags);
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
zval_ptr_dtor(&pflags);
@@ -1798,6 +1799,7 @@
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
goto outexcept;
}
+ var_push_dtor(&var_hash, &intern->array);
}
if (*p != ';') {
goto outexcept;
@@ -1816,6 +1818,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
Index: ext/spl/spl_observer.c
===================================================================
--- ext/spl/spl_observer.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/spl/spl_observer.c 2015-08-20 10:15:57.164329814 +0200
@@ -848,6 +848,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pcount);
--p; /* for ';' */
count = Z_LVAL_P(pcount);
@@ -919,6 +920,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
commit e9d961ee18c6dba28a3a7670a3de29dfa349148e
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Aug 1 21:51:08 2015 -0700
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
--- ext/spl/spl_dllist.c
+++ ext/spl/spl_dllist.c
@@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&flags);
goto error;
}
+ var_push_dtor(&var_hash, &flags);
intern->flags = Z_LVAL_P(flags);
zval_ptr_dtor(&flags);
