Overview

File php-5.3.17-CVE-2014-3515.patch of Package php5.openSUSE_12.3_Update

From: Stanislav Malyshev <stas@php.net>
Date: Sun, 22 Jun 2014 02:46:16 +0000 (-0700)
Subject: Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
X-Git-Tag: php-5.4.30~6
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=88223c5245e9b470e1e6362bfd96829562ffe6ab

Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
---


Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig	2014-06-30 17:45:07.373212272 +0200
+++ ext/spl/spl_array.c	2014-06-30 17:49:00.493207840 +0200
@@ -1806,7 +1806,7 @@
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
Index: ext/spl/spl_observer.c
===================================================================
--- ext/spl/spl_observer.c.orig	2014-06-30 17:44:43.821212720 +0200
+++ ext/spl/spl_observer.c	2014-06-30 17:45:07.373212272 +0200
@@ -801,7 +801,7 @@
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
openSUSE Build Service is sponsored by
Places