rpms / php

Clone
Source Code
GIT

Blame SOURCES/php-5.4.16-CVE-2014-3515.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8-beta-stream-7.2 c8-beta-stream-7.3 c8-beta-stream-7.4 c8-beta-stream-8.0 c8-stream-7.2 c8-stream-7.3 c8-stream-7.4 c8-stream-8.0 c8s-stream-7.4 c8s-stream-8.0 c9 c9-beta c9-beta-stream-8.1 c9-stream-8.1
  1.   f3124db563220a00770498573d2cbfba16b160cb
  2.   SOURCES
  3.   php-5.4.16-CVE-2014-3515.patch
Blob History Raw
b6cbd1 
From a374dfab567ff7f0ab0dc150f14cc891b0340b47 Mon Sep 17 00:00:00 2001
b6cbd1 
From: Stanislav Malyshev <stas@php.net>
b6cbd1 
Date: Sat, 21 Jun 2014 19:46:16 -0700
b6cbd1 
Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject /
b6cbd1 
 SPLObjectStorage Type Confusion
b6cbd1
b6cbd1 
---
b6cbd1 
 ext/spl/spl_array.c                                 | 2 +-
b6cbd1 
 ext/spl/spl_observer.c                              | 2 +-
b6cbd1 
 ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++-
b6cbd1 
 3 files changed, 6 insertions(+), 3 deletions(-)
b6cbd1
b6cbd1 
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
b6cbd1 
index c4b237b..c38065f 100644
b6cbd1 
--- a/ext/spl/spl_array.c
b6cbd1 
+++ b/ext/spl/spl_array.c
b6cbd1 
@@ -1801,7 +1801,7 @@ SPL_METHOD(Array, unserialize)
b6cbd1 
 	++p;
b6cbd1
b6cbd1 
 	ALLOC_INIT_ZVAL(pmembers);
b6cbd1 
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
b6cbd1 
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
b6cbd1 
 		zval_ptr_dtor(&pmembers);
b6cbd1 
 		goto outexcept;
b6cbd1 
 	}
b6cbd1 
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
b6cbd1 
index 57ddf49..f493154 100644
b6cbd1 
--- a/ext/spl/spl_observer.c
b6cbd1 
+++ b/ext/spl/spl_observer.c
b6cbd1 
@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
b6cbd1 
 	++p;
b6cbd1
b6cbd1 
 	ALLOC_INIT_ZVAL(pmembers);
b6cbd1 
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
b6cbd1 
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
b6cbd1 
 		zval_ptr_dtor(&pmembers);
b6cbd1 
 		goto outexcept;
b6cbd1 
 	}
b6cbd1 
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
b6cbd1 
index a525317..8f0676d 100644
b6cbd1 
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
b6cbd1 
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
b6cbd1 
@@ -7,6 +7,7 @@ $badblobs = array(
b6cbd1 
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
b6cbd1 
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
b6cbd1 
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
b6cbd1 
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
b6cbd1 
 );
b6cbd1 
 foreach($badblobs as $blob) {
b6cbd1 
 try {
b6cbd1 
@@ -17,6 +18,7 @@ try {
b6cbd1 
 	echo $e->getMessage()."\n";
b6cbd1 
 }
b6cbd1 
 }
b6cbd1 
+echo "DONE\n";
b6cbd1 
 --EXPECTF--
b6cbd1 
 Error at offset 6 of 34 bytes
b6cbd1 
 Error at offset 46 of 89 bytes
b6cbd1 
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
b6cbd1 
     }
b6cbd1 
   }
b6cbd1 
 }
b6cbd1 
-
b6cbd1 
+Error at offset 79 of 78 bytes
b6cbd1 
+DONE
b6cbd1 
--
b6cbd1 
1.9.2
b6cbd1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation