File php-CVE-2015-6834.patch of Package php5.openSUSE_Leap_42.1_Update
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Fvar.c;h=33b976f42dff8dc388b92124a1b0c236a23fc259;hp=7603ff2ee093d986e16f3c421ba2ba7a8fd6fb83;hb=e8429400d40e3c3aa4b22ba701991d698a2f3b2f;hpb=e201f01ac17243a1e5fb6a3911ed8e21b1619ac1
Index: ext/standard/var.c
===================================================================
--- ext/standard/var.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/standard/var.c 2015-09-14 16:19:34.307893363 +0200
@@ -951,6 +951,8 @@
int buf_len;
const unsigned char *p;
php_unserialize_data_t var_hash;
+ int oldlevel;
+ zval *old_rval = return_value;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
RETURN_FALSE;
@@ -970,6 +972,19 @@
}
RETURN_FALSE;
}
+ if (return_value != old_rval) {
+ /*
+ * Terrible hack due to the fact that executor passes us zval *,
+ * but unserialize with r/R wants to replace it with another zval *
+ */
+ zval_dtor(old_rval);
+ *old_rval = *return_value;
+ zval_copy_ctor(old_rval);
+ var_push_dtor_no_addref(&var_hash, &return_value);
+ var_push_dtor_no_addref(&var_hash, &old_rval);
+ } else {
+ var_push_dtor(&var_hash, &return_value);
+ }
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
}
/* }}} */
Index: ext/standard/var_unserializer.re
===================================================================
--- ext/standard/var_unserializer.re.orig 2015-09-14 16:19:34.179891643 +0200
+++ ext/standard/var_unserializer.re 2015-09-14 16:19:34.307893363 +0200
@@ -496,7 +496,7 @@
}
if (*rval != NULL) {
- zval_ptr_dtor(rval);
+ var_push_dtor_no_addref(var_hash, rval);
}
*rval = *rval_ref;
Z_ADDREF_PP(rval);
@@ -655,6 +655,7 @@
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
*p = YYCURSOR;
+ if (!var_hash) return 0;
if (elements < 0) {
return 0;
@@ -672,6 +673,7 @@
}
"o:" iv ":" ["] {
+ if (!var_hash) return 0;
INIT_PZVAL(*rval);
@@ -694,6 +696,7 @@
zval **args[1];
zval *arg_func_name;
+ if (!var_hash) return 0;
if (*start == 'C') {
custom_object = 1;
}
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_observer.c;h=6a2e3211e501a556b493b008b685294a847ed06e;hp=5d94a3b7b36b8edd94c2cbc9bc4fd671fa9243a2;hb=f06a069c462d37c2e009f6d1d93b8c8e7b713393;hpb=e8429400d40e3c3aa4b22ba701991d698a2f3b2f
--- ext/spl/spl_observer.c
+++ ext/spl/spl_observer.c
@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pentry);
goto outexcept;
}
+ var_push_dtor(&var_hash, &pentry);
if(Z_TYPE_P(pentry) != IS_OBJECT) {
zval_ptr_dtor(&pentry);
goto outexcept;
@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pinf);
goto outexcept;
}
+ var_push_dtor(&var_hash, &pinf);
}
hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_dllist.c;h=ebe61c3f7a7fcc90568b91d115ae5b5a0783629d;hp=011d7a6e3c43634139fa59094b64f13646a8f00e;hb=259057b2a484747a6c73ce54c4fa0f5acbd56179;hpb=f06a069c462d37c2e009f6d1d93b8c8e7b713393
--- ext/spl/spl_dllist.c
+++ ext/spl/spl_dllist.c
@@ -1221,6 +1221,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&elem);
goto error;
}
+ var_push_dtor(&var_hash, &elem);
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}