Blame SOURCES/php-5.6.5-CVE-2015-2787.patch

4c9102
From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001
4c9102
From: Stanislav Malyshev <stas@php.net>
4c9102
Date: Tue, 17 Mar 2015 13:20:22 -0700
4c9102
Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in
4c9102
 unserialize()
4c9102
4c9102
---
4c9102
 NEWS                             |  3 +-
4c9102
 ext/standard/var_unserializer.c  | 63 ++++++++++++++++++++--------------------
4c9102
 ext/standard/var_unserializer.re |  1 +
4c9102
 3 files changed, 35 insertions(+), 32 deletions(-)
4c9102
4c9102
diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
4c9102
index f114080..ee0cac4 100644
4c9102
--- a/ext/standard/var_unserializer.c
4c9102
+++ b/ext/standard/var_unserializer.c
4c9102
@@ -346,6 +346,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
4c9102
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
4c9102
 					sizeof data, NULL);
4c9102
 		}
4c9102
+		var_push_dtor(var_hash, &data);
4c9102
 		
4c9102
 		zval_dtor(key);
4c9102
 		FREE_ZVAL(key);
4c9102
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
4c9102
index f04fc74..abac77c 100644
4c9102
--- a/ext/standard/var_unserializer.re
4c9102
+++ b/ext/standard/var_unserializer.re
4c9102
@@ -352,6 +352,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
4c9102
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
4c9102
 					sizeof data, NULL);
4c9102
 		}
4c9102
+		var_push_dtor(var_hash, &data);
4c9102
 		
4c9102
 		zval_dtor(key);
4c9102
 		FREE_ZVAL(key);
4c9102
From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001
4c9102
From: Stanislav Malyshev <stas@php.net>
4c9102
Date: Tue, 17 Mar 2015 17:03:46 -0700
4c9102
Subject: [PATCH] add test for bug #68976
4c9102
4c9102
---
4c9102
 ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++
4c9102
 1 file changed, 37 insertions(+)
4c9102
 create mode 100644 ext/standard/tests/serialize/bug68976.phpt
4c9102
4c9102
diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt
4c9102
new file mode 100644
4c9102
index 0000000..a79a953
4c9102
--- /dev/null
4c9102
+++ b/ext/standard/tests/serialize/bug68976.phpt
4c9102
@@ -0,0 +1,37 @@
4c9102
+--TEST--
4c9102
+Bug #68976 Use After Free Vulnerability in unserialize()
4c9102
+--FILE--
4c9102
+
4c9102
+class evilClass {
4c9102
+	public $name;
4c9102
+	function __wakeup() {
4c9102
+		unset($this->name);
4c9102
+	}
4c9102
+}
4c9102
+
4c9102
+$fakezval = pack(
4c9102
+    'IIII',
4c9102
+    0x00100000,
4c9102
+    0x00000400,
4c9102
+    0x00000000,
4c9102
+    0x00000006 
4c9102
+);
4c9102
+
4c9102
+$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
4c9102
+
4c9102
+for($i = 0; $i < 5; $i++) {
4c9102
+    $v[$i] = $fakezval.$i;
4c9102
+}
4c9102
+
4c9102
+var_dump($data);
4c9102
+?>
4c9102
+===DONE===
4c9102
+--EXPECTF--
4c9102
+array(2) {
4c9102
+  [0]=>
4c9102
+  object(evilClass)#1 (0) {
4c9102
+  }
4c9102
+  [1]=>
4c9102
+  int(1)
4c9102
+}
4c9102
+===DONE===