File php-CVE-2015-6832.patch of Package php5
https://gist.githubusercontent.com/smalyshev/c08cacf74c3bc381452c/raw/180a70d296ebf3c5a0a3fece5e3a0503d6b59af1/70068.diff
Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig 2015-08-20 15:40:25.190035728 +0200
+++ ext/spl/spl_array.c 2015-08-20 15:41:44.443163795 +0200
@@ -1770,14 +1770,12 @@
ALLOC_INIT_ZVAL(pflags);
if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
- zval_ptr_dtor(&pflags);
goto outexcept;
}
var_push_dtor(&var_hash, &pflags);
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
- zval_ptr_dtor(&pflags);
/* flags needs to be verified and we also need to verify whether the next
* thing we get is ';'. After that we require an 'm' or somethign else
* where 'm' stands for members and anything else should be an array. If
@@ -1829,10 +1827,16 @@
/* done reading $serialized */
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
return;
outexcept:
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
return;