File php-CVE-2014-4698.patch of Package php5

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=0fe47b651c13f80c35e612de5cf69ea306095fe6;hp=8392e72714b80483641b1a0d2b6e6389e3c22959;hb=22882a9d89712ff2b6ebc20a689a89452bba4dcd;hpb=df78c48354f376cf419d7a97f88ca07d572f00fb
Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig	2014-06-25 15:06:23.000000000 +0200
+++ ext/spl/spl_array.c	2014-07-17 17:24:01.085311011 +0200
@@ -1733,6 +1733,7 @@
 	const unsigned char *p, *s;
 	php_unserialize_data_t var_hash;
 	zval *pmembers, *pflags = NULL;
+	HashTable *aht;
 	long flags;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
@@ -1744,6 +1745,12 @@
 		return;
 	}
 
+	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+	if (aht->nApplyCount > 0) {
+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+		return;
+	}
+
 	/* storage */
 	s = p = (const unsigned char*)buf;
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
openSUSE Build Service is sponsored by