From 51c38a09970c1f8395e68500c0b2ed1b3c9a6786 Mon Sep 17 00:00:00 2001

From: Xinchen Hui <laruence@php.net>

Date: Wed, 2 Jul 2014 17:57:42 +0800

Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object

 change during sorting)

---

 ext/spl/spl_array.c         |  7 +++++++

 ext/spl/tests/bug67539.phpt | 15 +++++++++++++++

 2 files changed, 22 insertions(+)

 create mode 100644 ext/spl/tests/bug67539.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c

index bf034ab..ec9ce21 100644

--- a/ext/spl/spl_array.c

+++ b/ext/spl/spl_array.c

@@ -1726,6 +1726,7 @@ SPL_METHOD(Array, unserialize)

 	const unsigned char *p, *s;

 	php_unserialize_data_t var_hash;

 	zval *pmembers, *pflags = NULL;

+	HashTable *aht;

 	long flags;

 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {

@@ -1737,6 +1738,12 @@ SPL_METHOD(Array, unserialize)

 		return;

 	}

+	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);

+	if (aht->nApplyCount > 0) {

+		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");

+		return;

+	}

+

 	/* storage */

 	s = p = (const unsigned char*)buf;

 	PHP_VAR_UNSERIALIZE_INIT(var_hash);

diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt

new file mode 100644

index 0000000..8bab2a8

--- /dev/null

+++ b/ext/spl/tests/bug67539.phpt

@@ -0,0 +1,15 @@

+--TEST--

+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)

+--FILE--

+

+

+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );

+

+function badsort($a, $b) {

+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());

+        return TRUE;

+}

+

+$it->uksort('badsort');

+--EXPECTF--

+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d

-- 

2.1.0