File php-5.4.20-CVE-2014-3515.patch of Package php5.openSUSE_13.1_Update

From: Stanislav Malyshev <stas@php.net>
Date: Sun, 22 Jun 2014 02:46:16 +0000 (-0700)
Subject: Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
X-Git-Tag: php-5.4.30~6
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=88223c5245e9b470e1e6362bfd96829562ffe6ab

Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
---


diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 758947a..bf034ab 100644
--- ext/spl/spl_array.c
+++ ext/spl/spl_array.c
@@ -1808,7 +1808,7 @@ SPL_METHOD(Array, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 1a706f7..da9110b 100644
--- ext/spl/spl_observer.c
+++ ext/spl/spl_observer.c
@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}

Places

File php-5.4.20-CVE-2014-3515.patch of Package php5.openSUSE_13.1_Update

Places