File php-CVE-2016-10162.patch of Package php7.16129
Index: php-7.0.7/ext/wddx/wddx.c
===================================================================
--- php-7.0.7.orig/ext/wddx/wddx.c 2017-01-31 09:51:45.076861792 +0100
+++ php-7.0.7/ext/wddx/wddx.c 2017-01-31 09:53:25.534287162 +0100
@@ -955,22 +955,26 @@ static void php_wddx_pop_element(void *u
php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
} else {
/* Initialize target object */
- object_init_ex(&obj, pce);
+ if (object_init_ex(&obj, pce) != SUCCESS || EG(exception)) {
+ zval_ptr_dtor(&ent2->data);
+ ZVAL_UNDEF(&ent2->data);
+ php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
+ } else {
+ /* Merge current hashtable with object's default properties */
+ zend_hash_merge(Z_OBJPROP(obj),
+ Z_ARRVAL(ent2->data),
+ zval_add_ref, 0);
- /* Merge current hashtable with object's default properties */
- zend_hash_merge(Z_OBJPROP(obj),
- Z_ARRVAL(ent2->data),
- zval_add_ref, 0);
+ if (incomplete_class) {
+ php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+ }
- if (incomplete_class) {
- php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
- }
-
- /* Clean up old array entry */
- zval_ptr_dtor(&ent2->data);
+ /* Clean up old array entry */
+ zval_ptr_dtor(&ent2->data);
- /* Set stack entry to point to the newly created object */
- ZVAL_COPY_VALUE(&ent2->data, &obj);
+ /* Set stack entry to point to the newly created object */
+ ZVAL_COPY_VALUE(&ent2->data, &obj);
+ }
}
/* Clean up class name var entry */
