rpms / php

Clone
Source Code
GIT

Blame SOURCES/php-5.4.16-CVE-2014-3669.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8-beta-stream-7.2 c8-beta-stream-7.3 c8-beta-stream-7.4 c8-beta-stream-8.0 c8-stream-7.2 c8-stream-7.3 c8-stream-7.4 c8-stream-8.0 c8s-stream-7.4 c8s-stream-8.0 c9 c9-beta c9-beta-stream-8.1 c9-stream-8.1
  1.   2067dae7c5a13451e7b6db16573ea10366a13f84
  2.   SOURCES
  3.   php-5.4.16-CVE-2014-3669.patch
Blob History Raw
2067da 
Adapted for PHP 5.4.16 from
2067da
2067da 
From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001
2067da 
From: Stanislav Malyshev <stas@php.net>
2067da 
Date: Sun, 28 Sep 2014 14:19:31 -0700
2067da 
Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
2067da 
 only)
2067da
2067da 
---
2067da 
 NEWS                                       |  5 ++++-
2067da 
 ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
2067da 
 ext/standard/var_unserializer.c            |  4 ++--
2067da 
 ext/standard/var_unserializer.re           |  2 +-
2067da 
 4 files changed, 19 insertions(+), 4 deletions(-)
2067da 
 create mode 100644 ext/standard/tests/serialize/bug68044.phpt
2067da
2067da 
diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt
2067da 
new file mode 100644
2067da 
index 0000000..031e44e
2067da 
--- /dev/null
2067da 
+++ b/ext/standard/tests/serialize/bug68044.phpt
2067da 
@@ -0,0 +1,12 @@
2067da 
+--TEST--
2067da 
+Bug #68044 Integer overflow in unserialize() (32-bits only)
2067da 
+--FILE--
2067da 
+
2067da 
+	echo unserialize('C:3:"XYZ":18446744075857035259:{}');
2067da 
+?>
2067da 
+===DONE==
2067da 
+--EXPECTF--
2067da 
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
2067da 
+
2067da 
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
2067da 
+===DONE==
2067da 
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
2067da 
index 657051f..8129da3 100644
2067da 
--- a/ext/standard/var_unserializer.c
2067da 
+++ b/ext/standard/var_unserializer.c
2067da 
@@ -344,7 +344,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
2067da
2067da 
 	(*p) += 2;
2067da
2067da 
-	if (datalen < 0 || (*p) + datalen >= max) {
2067da 
+	if (datalen < 0 || (max - (*p)) <= datalen) {
2067da 
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
2067da 
 		return 0;
2067da 
 	}
2067da 
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
2067da 
index 1307508..6de1583 100644
2067da 
--- a/ext/standard/var_unserializer.re
2067da 
+++ b/ext/standard/var_unserializer.re
2067da 
@@ -350,7 +350,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
2067da
2067da 
 	(*p) += 2;
2067da
2067da 
-	if (datalen < 0 || (*p) + datalen >= max) {
2067da 
+	if (datalen < 0 || (max - (*p)) <= datalen) {
2067da 
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
2067da 
 		return 0;
2067da 
 	}
2067da 
--
2067da 
2.1.0
2067da

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation