File php-CVE-2015-6834.patch of Package php5.3636

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Fvar.c;h=33b976f42dff8dc388b92124a1b0c236a23fc259;hp=7603ff2ee093d986e16f3c421ba2ba7a8fd6fb83;hb=e8429400d40e3c3aa4b22ba701991d698a2f3b2f;hpb=e201f01ac17243a1e5fb6a3911ed8e21b1619ac1

Index: ext/standard/var.c
===================================================================
--- ext/standard/var.c.orig	2014-10-01 11:17:38.000000000 +0200
+++ ext/standard/var.c	2015-09-14 16:19:34.307893363 +0200
@@ -951,6 +951,8 @@
 	int buf_len;
 	const unsigned char *p;
 	php_unserialize_data_t var_hash;
+	int oldlevel;
+	zval *old_rval = return_value;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
 		RETURN_FALSE;
@@ -970,6 +972,19 @@
 		}
 		RETURN_FALSE;
 	}
+	if (return_value != old_rval) {
+		/*
+		 * Terrible hack due to the fact that executor passes us zval *,
+		 * but unserialize with r/R wants to replace it with another zval *
+		 */
+		zval_dtor(old_rval);
+		*old_rval = *return_value;
+		zval_copy_ctor(old_rval);
+		var_push_dtor_no_addref(&var_hash, &return_value);
+		var_push_dtor_no_addref(&var_hash, &old_rval);
+	} else {
+		var_push_dtor(&var_hash, &return_value);
+	}
 	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 }
 /* }}} */
Index: ext/standard/var_unserializer.re
===================================================================
--- ext/standard/var_unserializer.re.orig	2015-09-14 16:19:34.179891643 +0200
+++ ext/standard/var_unserializer.re	2015-09-14 16:19:34.307893363 +0200
@@ -496,7 +496,7 @@
 	}
 
 	if (*rval != NULL) {
-		zval_ptr_dtor(rval);
+		var_push_dtor_no_addref(var_hash, rval);
 	}
 	*rval = *rval_ref;
 	Z_ADDREF_PP(rval);
@@ -655,6 +655,7 @@
 	long elements = parse_iv(start + 2);
 	/* use iv() not uiv() in order to check data range */
 	*p = YYCURSOR;
+    if (!var_hash) return 0;
 
 	if (elements < 0) {
 		return 0;
@@ -672,6 +673,7 @@
 }
 
 "o:" iv ":" ["] {
+    if (!var_hash) return 0;
 
 	INIT_PZVAL(*rval);
 	
@@ -694,6 +696,7 @@
 	zval **args[1];
 	zval *arg_func_name;
 
+    if (!var_hash) return 0;
 	if (*start == 'C') {
 		custom_object = 1;
 	}
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_observer.c;h=6a2e3211e501a556b493b008b685294a847ed06e;hp=5d94a3b7b36b8edd94c2cbc9bc4fd671fa9243a2;hb=f06a069c462d37c2e009f6d1d93b8c8e7b713393;hpb=e8429400d40e3c3aa4b22ba701991d698a2f3b2f
--- ext/spl/spl_observer.c
+++ ext/spl/spl_observer.c
@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
 		}
+		var_push_dtor(&var_hash, &pentry);
 		if(Z_TYPE_P(pentry) != IS_OBJECT) {
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 				zval_ptr_dtor(&pinf);
 				goto outexcept;
 			}
+			var_push_dtor(&var_hash, &pinf);
 		}
 
 		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_dllist.c;h=ebe61c3f7a7fcc90568b91d115ae5b5a0783629d;hp=011d7a6e3c43634139fa59094b64f13646a8f00e;hb=259057b2a484747a6c73ce54c4fa0f5acbd56179;hpb=f06a069c462d37c2e009f6d1d93b8c8e7b713393
--- ext/spl/spl_dllist.c
+++ ext/spl/spl_dllist.c
@@ -1221,6 +1221,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
 			zval_ptr_dtor(&elem);
 			goto error;
 		}
+		var_push_dtor(&var_hash, &elem);
 
 		spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
 	}