File php-CVE-2016-10161.patch of Package php5.11538
Index: php-5.5.14/ext/standard/var_unserializer.re
===================================================================
--- php-5.5.14.orig/ext/standard/var_unserializer.re 2017-01-30 17:29:26.678575864 +0100
+++ php-5.5.14/ext/standard/var_unserializer.re 2017-01-30 17:32:31.301118624 +0100
@@ -407,6 +407,11 @@ static inline long object_common1(UNSERI
{
long elements;
+ if( *p >= max - 2) {
+ zend_error(E_WARNING, "Bad unserialize data");
+ return -1;
+ }
+
elements = parse_iv2((*p) + 2, p);
(*p) += 2;
@@ -421,7 +426,7 @@ static inline long object_common1(UNSERI
/* If this class implements Serializable, it should not land here but in object_custom(). The passed string
obviously doesn't descend from the regular serializer. */
zend_error(E_WARNING, "Erroneous data format for unserializing '%s'", ce->name);
- return 0;
+ return -1;
}
return elements;
@@ -688,12 +693,16 @@ use_double:
}
"o:" iv ":" ["] {
+ long elements;
if (!var_hash) return 0;
INIT_PZVAL(*rval);
- return object_common2(UNSERIALIZE_PASSTHRU,
- object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
+ elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
+ if (elements < 0) {
+ return 0;
+ }
+ return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
object ":" uiv ":" ["] {
@@ -835,6 +844,11 @@ object ":" uiv ":" ["] {
elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
+ if (elements < 0) {
+ efree(class_name);
+ return 0;
+ }
+
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2);
}