rpms / php

Clone
Source Code
GIT

Blame SOURCES/php-5.4.16-CVE-2014-4698.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8-beta-stream-7.2 c8-beta-stream-7.3 c8-beta-stream-7.4 c8-beta-stream-8.0 c8-stream-7.2 c8-stream-7.3 c8-stream-7.4 c8-stream-8.0 c8s-stream-7.4 c8s-stream-8.0 c9 c9-beta c9-beta-stream-8.1 c9-stream-8.1
  1.   c7-alt
  2.   SOURCES
  3.   php-5.4.16-CVE-2014-4698.patch
Blob History Raw
af9dc8 
From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
af9dc8 
From: Xinchen Hui <laruence@php.net>
af9dc8 
Date: Wed, 2 Jul 2014 17:57:42 +0800
af9dc8 
Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
af9dc8 
 change during sorting)
af9dc8
af9dc8 
---
af9dc8 
 NEWS                        |  2 ++
af9dc8 
 ext/spl/spl_array.c         |  7 +++++++
af9dc8 
 ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
af9dc8 
 3 files changed, 24 insertions(+)
af9dc8 
 create mode 100644 ext/spl/tests/bug67539.phpt
af9dc8
af9dc8 
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
af9dc8 
index 8392e72..0fe47b6 100644
af9dc8 
--- a/ext/spl/spl_array.c
af9dc8 
+++ b/ext/spl/spl_array.c
af9dc8 
@@ -1738,6 +1738,7 @@ SPL_METHOD(Array, unserialize)
af9dc8 
 	const unsigned char *p, *s;
af9dc8 
 	php_unserialize_data_t var_hash;
af9dc8 
 	zval *pmembers, *pflags = NULL;
af9dc8 
+	HashTable *aht;
af9dc8 
 	long flags;
af9dc8
af9dc8 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
af9dc8 
@@ -1749,6 +1750,12 @@ SPL_METHOD(Array, unserialize)
af9dc8 
 		return;
af9dc8 
 	}
af9dc8
af9dc8 
+	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
af9dc8 
+	if (aht->nApplyCount > 0) {
af9dc8 
+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
af9dc8 
+		return;
af9dc8 
+	}
af9dc8 
+
af9dc8 
 	/* storage */
af9dc8 
 	s = p = (const unsigned char*)buf;
af9dc8 
 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
af9dc8 
diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
af9dc8 
new file mode 100644
af9dc8 
index 0000000..8bab2a8
af9dc8 
--- /dev/null
af9dc8 
+++ b/ext/spl/tests/bug67539.phpt
af9dc8 
@@ -0,0 +1,15 @@
af9dc8 
+--TEST--
af9dc8 
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
af9dc8 
+--FILE--
af9dc8 
+
af9dc8 
+
af9dc8 
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
af9dc8 
+
af9dc8 
+function badsort($a, $b) {
af9dc8 
+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
af9dc8 
+        return TRUE;
af9dc8 
+}
af9dc8 
+
af9dc8 
+$it->uksort('badsort');
af9dc8 
+--EXPECTF--
af9dc8 
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
af9dc8 
--
af9dc8 
1.9.2
af9dc8

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation