File php-CVE-2016-10161.patch of Package php5.11538

Index: php-5.5.14/ext/standard/var_unserializer.re
===================================================================
--- php-5.5.14.orig/ext/standard/var_unserializer.re	2017-01-30 17:29:26.678575864 +0100
+++ php-5.5.14/ext/standard/var_unserializer.re	2017-01-30 17:32:31.301118624 +0100
@@ -407,6 +407,11 @@ static inline long object_common1(UNSERI
 {
 	long elements;
 	
+	if( *p >= max - 2) {
+		zend_error(E_WARNING, "Bad unserialize data");
+		return -1;
+	}
+
 	elements = parse_iv2((*p) + 2, p);
 
 	(*p) += 2;
@@ -421,7 +426,7 @@ static inline long object_common1(UNSERI
 		/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
 		obviously doesn't descend from the regular serializer. */
 		zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
-		return 0;
+		return -1;
 	}
 
 	return elements;
@@ -688,12 +693,16 @@ use_double:
 }
 
 "o:" iv ":" ["] {
+	long elements;
     if (!var_hash) return 0;
 
 	INIT_PZVAL(*rval);
 	
-	return object_common2(UNSERIALIZE_PASSTHRU,
-			object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
+	elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
+	if (elements < 0) {
+		return 0;
+	}
+	return object_common2(UNSERIALIZE_PASSTHRU, elements);
 }
 
 object ":" uiv ":" ["]	{
@@ -835,6 +844,11 @@ object ":" uiv ":" ["]	{
 	
 	elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
 
+	if (elements < 0) {
+	   efree(class_name);
+	   return 0;
+	}
+
 	if (incomplete_class) {
 		php_store_class_name(*rval, class_name, len2);
 	}