php5.4: add debian u6 patchset

3.15-stable
parent 4bccf1138d
commit ca006e36c7
  1. 28
      testing/php5.4/APKBUILD
  2. 419
      testing/php5.4/d06-u001-CVE-2016-5385.patch
  3. 46
      testing/php5.4/d06-u002-CVE-2016-7124.patch
  4. 17
      testing/php5.4/d06-u003-CVE-2016-7128.patch
  5. 76
      testing/php5.4/d06-u004-CVE-2016-7129.patch
  6. 58
      testing/php5.4/d06-u005-CVE-2016-7130.patch
  7. 105
      testing/php5.4/d06-u006-CVE-2016-7131-7132.patch
  8. 71
      testing/php5.4/d06-u007-CVE-2016-7411.patch
  9. 45
      testing/php5.4/d06-u008-CVE-2016-7417.patch
  10. 73
      testing/php5.4/d06-u009-CVE-2016-7414.patch
  11. 13
      testing/php5.4/d06-u010-CVE-2016-7416.patch
  12. 27
      testing/php5.4/d06-u011-CVE-2016-7412.patch
  13. 180
      testing/php5.4/d06-u012-CVE-2016-7418.patch
  14. 47
      testing/php5.4/d06-u013-CVE-2016-7413.patch

@ -26,7 +26,7 @@
pkgname=php5.4
_pkgreal=php
pkgver=5.4.45
pkgrel=6
pkgrel=7
_apiver=20100412
_suffix=${pkgname#php}
_suffixA=5
@ -180,6 +180,19 @@ source="https://www.php.net/distributions/$_pkgreal-$pkgver.tar.bz2
d05-u017-CVE-2016-4473.patch
d05-u018-BUG-70436.patch
d05-u019-BUG-72681.patch
d06-u001-CVE-2016-5385.patch
d06-u002-CVE-2016-7124.patch
d06-u003-CVE-2016-7128.patch
d06-u004-CVE-2016-7129.patch
d06-u005-CVE-2016-7130.patch
d06-u006-CVE-2016-7131-7132.patch
d06-u007-CVE-2016-7411.patch
d06-u008-CVE-2016-7417.patch
d06-u009-CVE-2016-7414.patch
d06-u010-CVE-2016-7416.patch
d06-u011-CVE-2016-7412.patch
d06-u012-CVE-2016-7418.patch
d06-u013-CVE-2016-7413.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -796,4 +809,17 @@ bf493c0d321c3b4123ee9f73cf61f1491b107e1aaa89444615cd11ddea5e3f350a236e2029a8e09b
843fc857dfb7240ea2d2fe20536425e4c94f2d96da0bff9d392f3263175d6336951d70a77c38d0c0abaf78542f71aec6f94678280d13cd683a672c3ee608bee2 d05-u017-CVE-2016-4473.patch
a2691eb5fdf1b9eb40572189688af0a0990e3e79145b38c348b02ffe707b148c21a132526a576b5d9c2b3790ad4b88ae9c8ebbde3e83c10f028cf3fc412ab501 d05-u018-BUG-70436.patch
6bf961f65b347a96d44365771725567055798050de00383c2ce82844589bb04ae9d39ab322dc2e6cb1f7070fce3550d77b9d449ee0eb817dcf00cc2cde9fbcdc d05-u019-BUG-72681.patch
36b6c37980a28ab0ce4854f8ff5e8a314bef2d599af1e5ef0181295a021d88981486b108123e1fbab2f48dcc26c37f9866121d4f43725686ac01ca5fd852d36b d06-u001-CVE-2016-5385.patch
26c4fae448eaf9af1adc09980fbb5b1976f5ea6d525494c404d9688882b4fd3f8c6df68039d40c70d014ed1231b739757cb855fad35ac535a89f57666fc15f68 d06-u002-CVE-2016-7124.patch
da867be8ee4429e60c36b8d7c08163936ccbbe0decb41783ea3ba8ac16b57153325d72d2cb3e59a18114b64a3221e988139781cc35db802ba670efa188220d83 d06-u003-CVE-2016-7128.patch
c9e10b6eaf10bcc43bd51063bb0e3db343c5f62901f161c52cb8cd954b1e852c601c58bfcaa13236a02e2ebc2b0a2ab2515993c3905f98e781f9f7806d42f1ca d06-u004-CVE-2016-7129.patch
97ce676e0144c520dd12d7558a0ece65677197de5d420d352a24aa678289671dc55dd6b008a893174f6e422bdd2383cba88995aa62246cd5097e5f1370f526a3 d06-u005-CVE-2016-7130.patch
24432026b2219f493055629b6bb3ba1c149ca7ea01565abe79f326b6171083e1c993a6905a868ec020d1e6f95861c6ab2c71c479a90a5df1aec30f50bb592dc3 d06-u006-CVE-2016-7131-7132.patch
e40dbb776f8bd0f53db6e369c496da50d6615321569e2282b291e5d889c439be29728428a14bf623134028bc484f90ee88cb209429c53a176238d7d9be15df49 d06-u007-CVE-2016-7411.patch
75f487b2fcd7f3d8bbac37c59ab34fe569dff5942a9607e5c0ad0b221b588fcd3ca7843e7507ae8f867cc00ee5ba013900ba895f89edb330b00658df733bbe8e d06-u008-CVE-2016-7417.patch
a391579b088bb1fdfb5365a99683c5131a5e0095629affa1017172487458e2a265d43ac2d0b481ea0a1b0b283348b66d510d20d247ab21afb80f5f6fad629ff0 d06-u009-CVE-2016-7414.patch
26e835602483a89b1ddf095f762c2a396849a51992cd2f75981b000c2ddd478eb58a01175857a36fdebcf0419b19957ba329468be78f1bc3152edcb3fa4a0d0b d06-u010-CVE-2016-7416.patch
5c0025dfc1eb825406bc6f15811f1bccc2a44142fb58409a965f889eb1191eaa49a221729962e5ff4119d9cb8485c5947374d025056735e21c8cf494a07def69 d06-u011-CVE-2016-7412.patch
fb052434118b242d302c0ae296208780bef05b191208957af02725bce36bc2272580484e30d83d91a726c8e1d54b852b81856734084c375e67528ee99f18033a d06-u012-CVE-2016-7418.patch
e8addda48ad6ae71b8b201a95c5a2781f658bef8464c0fc7770347187432554e14a54955bae811d4eef1e1812f85ebfb3827ab5e00619a42ee917756a97a0bae d06-u013-CVE-2016-7413.patch
"

@ -0,0 +1,419 @@
diff --git a/UPGRADING b/UPGRADING
index f38e640b92..b760c0b249 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -351,6 +351,9 @@ PHP 5.4 UPGRADE NOTES
- Since 5.4.7, ctor is always called when new user stream wrapper object is created.
Before, it was called only when stream_open was called.
+- Since 5.5.38, getenv() has optional second parameter, making it only
+ consider local environment and not SAPI environment if true.
+
4a. unserialize() change
------------------------
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 7d0bfed71b..6005002585 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -3958,21 +3958,24 @@ PHP_FUNCTION(long2ip)
* System Functions *
********************/
-/* {{{ proto string getenv(string varname)
+/* {{{ proto string getenv(string varname[, bool local_only])
Get the value of an environment variable */
PHP_FUNCTION(getenv)
{
char *ptr, *str;
int str_len;
+ zend_bool local_only = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &local_only) == FAILURE) {
RETURN_FALSE;
}
- /* SAPI method returns an emalloc()'d string */
- ptr = sapi_getenv(str, str_len TSRMLS_CC);
- if (ptr) {
- RETURN_STRING(ptr, 0);
+ if (!local_only) {
+ /* SAPI method returns an emalloc()'d string */
+ ptr = sapi_getenv(str, str_len TSRMLS_CC);
+ if (ptr) {
+ RETURN_STRING(ptr, 0);
+ }
}
#ifdef PHP_WIN32
{
diff --git a/main/SAPI.c b/main/SAPI.c
index 1390d29f8c..1ba65c362b 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -1,4 +1,4 @@
-/*
+/*
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
@@ -132,7 +132,7 @@ PHP_FUNCTION(header_register_callback)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &callback_func) == FAILURE) {
return;
}
-
+
if (!zend_is_callable(callback_func, 0, &callback_name TSRMLS_CC)) {
efree(callback_name);
RETURN_FALSE;
@@ -160,10 +160,10 @@ static void sapi_run_header_callback(TSRMLS_D)
char *callback_name = NULL;
char *callback_error = NULL;
zval *retval_ptr = NULL;
-
+
if (zend_fcall_info_init(SG(callback_func), 0, &fci, &SG(fci_cache), &callback_name, &callback_error TSRMLS_CC) == SUCCESS) {
fci.retval_ptr_ptr = &retval_ptr;
-
+
error = zend_call_function(&fci, &SG(fci_cache) TSRMLS_CC);
if (error == FAILURE) {
goto callback_failed;
@@ -174,13 +174,13 @@ static void sapi_run_header_callback(TSRMLS_D)
callback_failed:
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the sapi_header_callback");
}
-
+
if (callback_name) {
efree(callback_name);
}
if (callback_error) {
efree(callback_error);
- }
+ }
}
SAPI_API void sapi_handle_post(void *arg TSRMLS_DC)
@@ -386,11 +386,11 @@ SAPI_API void sapi_activate_headers_only(TSRMLS_D)
if (SG(request_info).headers_read == 1)
return;
SG(request_info).headers_read = 1;
- zend_llist_init(&SG(sapi_headers).headers, sizeof(sapi_header_struct),
+ zend_llist_init(&SG(sapi_headers).headers, sizeof(sapi_header_struct),
(void (*)(void *)) sapi_free_header, 0);
SG(sapi_headers).send_default_content_type = 1;
- /* SG(sapi_headers).http_response_code = 200; */
+ /* SG(sapi_headers).http_response_code = 200; */
SG(sapi_headers).http_status_line = NULL;
SG(sapi_headers).mimetype = NULL;
SG(read_post_bytes) = 0;
@@ -403,7 +403,7 @@ SAPI_API void sapi_activate_headers_only(TSRMLS_D)
SG(global_request_time) = 0;
/*
- * It's possible to override this general case in the activate() callback,
+ * It's possible to override this general case in the activate() callback,
* if necessary.
*/
if (SG(request_info).request_method && !strcmp(SG(request_info).request_method, "HEAD")) {
@@ -465,8 +465,8 @@ SAPI_API void sapi_activate(TSRMLS_D)
* depending on given content type */
sapi_read_post_data(TSRMLS_C);
} else {
- /* Any other method with content payload will fill $HTTP_RAW_POST_DATA
- * if it is enabled by always_populate_raw_post_data.
+ /* Any other method with content payload will fill $HTTP_RAW_POST_DATA
+ * if it is enabled by always_populate_raw_post_data.
* It's up to the webserver to decide whether to allow a method or not. */
SG(request_info).content_type_dup = NULL;
if (sapi_module.default_post_reader) {
@@ -497,14 +497,14 @@ static void sapi_send_headers_free(TSRMLS_D)
SG(sapi_headers).http_status_line = NULL;
}
}
-
+
SAPI_API void sapi_deactivate(TSRMLS_D)
{
zend_llist_destroy(&SG(sapi_headers).headers);
if (SG(request_info).post_data) {
efree(SG(request_info).post_data);
} else if (SG(server_context)) {
- if(sapi_module.read_post) {
+ if(sapi_module.read_post) {
/* make sure we've consumed all request input data */
char dummy[SAPI_POST_BLOCK_SIZE];
int read_bytes;
@@ -516,7 +516,7 @@ SAPI_API void sapi_deactivate(TSRMLS_D)
}
if (SG(request_info).raw_post_data) {
efree(SG(request_info).raw_post_data);
- }
+ }
if (SG(request_info).auth_user) {
efree(SG(request_info).auth_user);
}
@@ -574,7 +574,7 @@ static int sapi_extract_response_code(const char *header_line)
break;
}
}
-
+
return code;
}
@@ -594,7 +594,7 @@ static void sapi_update_response_code(int ncode TSRMLS_DC)
SG(sapi_headers).http_response_code = ncode;
}
-/*
+/*
* since zend_llist_del_element only remove one matched item once,
* we should remove them by ourself
*/
@@ -630,7 +630,7 @@ SAPI_API int sapi_add_header_ex(char *header_line, uint header_line_len, zend_bo
{
sapi_header_line ctr = {0};
int r;
-
+
ctr.line = header_line;
ctr.line_len = header_line_len;
@@ -724,7 +724,7 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
} while(header_line_len && isspace(header_line[header_line_len-1]));
header_line[header_line_len]='\0';
}
-
+
if (op == SAPI_HEADER_DELETE) {
if (strchr(header_line, ':')) {
efree(header_line);
@@ -762,7 +762,7 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
sapi_header.header_len = header_line_len;
/* Check the header for a few cases that we have special support for in SAPI */
- if (header_line_len>=5
+ if (header_line_len>=5
&& !strncasecmp(header_line, "HTTP/", 5)) {
/* filter out the response code */
sapi_update_response_code(sapi_extract_response_code(header_line) TSRMLS_CC);
@@ -821,8 +821,8 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
/* Return a Found Redirect if one is not already specified */
if (http_response_code) { /* user specified redirect code */
sapi_update_response_code(http_response_code TSRMLS_CC);
- } else if (SG(request_info).proto_num > 1000 &&
- SG(request_info).request_method &&
+ } else if (SG(request_info).proto_num > 1000 &&
+ SG(request_info).request_method &&
strcmp(SG(request_info).request_method, "HEAD") &&
strcmp(SG(request_info).request_method, "GET")) {
sapi_update_response_code(303 TSRMLS_CC);
@@ -1011,7 +1011,11 @@ SAPI_API struct stat *sapi_get_stat(TSRMLS_D)
SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC)
{
- if (sapi_module.getenv) {
+ if (!strncasecmp(name, "HTTP_PROXY", name_len)) {
+ /* Ugly fix for HTTP_PROXY issue, see bug #72573 */
+ return NULL;
+ }
+ if (sapi_module.getenv) {
char *value, *tmp = sapi_module.getenv(name, name_len TSRMLS_CC);
if (tmp) {
value = estrdup(tmp);
diff --git a/main/php_variables.c b/main/php_variables.c
index be6448e5a3..cbc5f5f94a 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -44,7 +44,7 @@ PHPAPI void php_register_variable_safe(char *var, char *strval, int str_len, zva
{
zval new_entry;
assert(strval != NULL);
-
+
/* Prepare value */
Z_STRLEN(new_entry) = str_len;
Z_STRVAL(new_entry) = estrndup(strval, Z_STRLEN(new_entry));
@@ -82,7 +82,7 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
while (*var_name && *var_name==' ') {
var_name++;
}
-
+
/*
* Prepare variable name
*/
@@ -168,7 +168,7 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
return;
}
*ip = 0;
- new_idx_len = strlen(index_s);
+ new_idx_len = strlen(index_s);
}
if (!index) {
@@ -211,7 +211,7 @@ plain_var:
zval_ptr_dtor(&gpc_element);
}
} else {
- /*
+ /*
* According to rfc2965, more specific paths are listed above the less specific ones.
* If we encounter a duplicate cookie name, we should skip it, since it is not possible
* to have the same (plain text) cookie name for the same path and we should not overwrite
@@ -237,7 +237,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(php_std_post_handler)
if (SG(request_info).post_data == NULL) {
return;
- }
+ }
s = SG(request_info).post_data;
e = s + SG(request_info).post_data_length;
@@ -285,7 +285,7 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
int free_buffer = 0;
char *strtok_buf = NULL;
long count = 0;
-
+
switch (arg) {
case PARSE_POST:
case PARSE_GET:
@@ -358,9 +358,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
separator = ";\0";
break;
}
-
+
var = php_strtok_r(res, separator, &strtok_buf);
-
+
while (var) {
val = strchr(var, '=');
@@ -455,11 +455,11 @@ static void php_build_argv(char *s, zval *track_vars_array TSRMLS_DC)
zval *arr, *argc, *tmp;
int count = 0;
char *ss, *space;
-
+
if (!(SG(request_info).argc || track_vars_array)) {
return;
}
-
+
ALLOC_INIT_ZVAL(arr);
array_init(arr);
@@ -520,7 +520,7 @@ static void php_build_argv(char *s, zval *track_vars_array TSRMLS_DC)
Z_ADDREF_P(argc);
zend_hash_update(&EG(symbol_table), "argv", sizeof("argv"), &arr, sizeof(zval *), NULL);
zend_hash_update(&EG(symbol_table), "argc", sizeof("argc"), &argc, sizeof(zval *), NULL);
- }
+ }
if (track_vars_array) {
Z_ADDREF_P(arr);
Z_ADDREF_P(argc);
@@ -666,7 +666,7 @@ static zend_bool php_auto_globals_create_get(const char *name, uint name_len TSR
zend_hash_update(&EG(symbol_table), name, name_len + 1, &vars, sizeof(zval *), NULL);
Z_ADDREF_P(vars);
-
+
return 0; /* don't rearm */
}
@@ -693,7 +693,7 @@ static zend_bool php_auto_globals_create_post(const char *name, uint name_len TS
zend_hash_update(&EG(symbol_table), name, name_len + 1, &vars, sizeof(zval *), NULL);
Z_ADDREF_P(vars);
-
+
return 0; /* don't rearm */
}
@@ -716,7 +716,7 @@ static zend_bool php_auto_globals_create_cookie(const char *name, uint name_len
zend_hash_update(&EG(symbol_table), name, name_len + 1, &vars, sizeof(zval *), NULL);
Z_ADDREF_P(vars);
-
+
return 0; /* don't rearm */
}
@@ -735,10 +735,27 @@ static zend_bool php_auto_globals_create_files(const char *name, uint name_len T
zend_hash_update(&EG(symbol_table), name, name_len + 1, &vars, sizeof(zval *), NULL);
Z_ADDREF_P(vars);
-
+
return 0; /* don't rearm */
}
+/* Upgly hack to fix HTTP_PROXY issue, see bug #72573 */
+static void check_http_proxy(HashTable *var_table)
+{
+ if (zend_hash_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"))) {
+ char *local_proxy = getenv("HTTP_PROXY");
+
+ if (!local_proxy) {
+ zend_hash_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"));
+ } else {
+ zval *local_zval;
+ ALLOC_INIT_ZVAL(local_zval);
+ ZVAL_STRING(local_zval, local_proxy, 1);
+ zend_hash_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"), &local_zval, sizeof(zval **), NULL);
+ }
+ }
+}
+
static zend_bool php_auto_globals_create_server(const char *name, uint name_len TSRMLS_DC)
{
if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) {
@@ -747,7 +764,7 @@ static zend_bool php_auto_globals_create_server(const char *name, uint name_len
if (PG(register_argc_argv)) {
if (SG(request_info).argc) {
zval **argc, **argv;
-
+
if (zend_hash_find(&EG(symbol_table), "argc", sizeof("argc"), (void**)&argc) == SUCCESS &&
zend_hash_find(&EG(symbol_table), "argv", sizeof("argv"), (void**)&argv) == SUCCESS) {
Z_ADDREF_PP(argc);
@@ -759,7 +776,7 @@ static zend_bool php_auto_globals_create_server(const char *name, uint name_len
php_build_argv(SG(request_info).query_string, PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
}
}
-
+
} else {
zval *server_vars=NULL;
ALLOC_ZVAL(server_vars);
@@ -771,9 +788,10 @@ static zend_bool php_auto_globals_create_server(const char *name, uint name_len
PG(http_globals)[TRACK_VARS_SERVER] = server_vars;
}
+ check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]));
zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL);
Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
-
+
return 0; /* don't rearm */
}
@@ -787,11 +805,12 @@ static zend_bool php_auto_globals_create_env(const char *name, uint name_len TSR
zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_ENV]);
}
PG(http_globals)[TRACK_VARS_ENV] = env_vars;
-
+
if (PG(variables_order) && (strchr(PG(variables_order),'E') || strchr(PG(variables_order),'e'))) {
php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
}
+ check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]));
zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_ENV], sizeof(zval *), NULL);
Z_ADDREF_P(PG(http_globals)[TRACK_VARS_ENV]);

@ -0,0 +1,46 @@
Index: php5-5.4.45/ext/standard/var_unserializer.c
===================================================================
--- php5-5.4.45.orig/ext/standard/var_unserializer.c 2016-12-09 15:38:15.403998513 +0100
+++ php5-5.4.45/ext/standard/var_unserializer.c 2016-12-09 15:38:15.395998734 +0100
@@ -437,9 +437,18 @@
}
if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
+ /* We've got partially constructed object on our hands here. Wipe it. */
+ if(Z_TYPE_PP(rval) == IS_OBJECT) {
+ zend_hash_clean(Z_OBJPROP_PP(rval));
+ }
+ ZVAL_NULL(*rval);
return 0;
}
+ if (Z_TYPE_PP(rval) != IS_OBJECT) {
+ return 0;
+ }
+
if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY &&
zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) {
INIT_PZVAL(&fname);
Index: php5-5.4.45/ext/standard/var_unserializer.re
===================================================================
--- php5-5.4.45.orig/ext/standard/var_unserializer.re 2016-12-09 15:38:15.403998513 +0100
+++ php5-5.4.45/ext/standard/var_unserializer.re 2016-12-09 15:38:15.399998623 +0100
@@ -443,9 +443,18 @@
}
if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
+ /* We've got partially constructed object on our hands here. Wipe it. */
+ if(Z_TYPE_PP(rval) == IS_OBJECT) {
+ zend_hash_clean(Z_OBJPROP_PP(rval));
+ }
+ ZVAL_NULL(*rval);
return 0;
}
+ if (Z_TYPE_PP(rval) != IS_OBJECT) {
+ return 0;
+ }
+
if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY &&
zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) {
INIT_PZVAL(&fname);

@ -0,0 +1,17 @@
Index: php5-5.4.45/ext/exif/exif.c
===================================================================
--- php5-5.4.45.orig/ext/exif/exif.c 2016-12-09 15:44:19.153939754 +0100
+++ php5-5.4.45/ext/exif/exif.c 2016-12-09 15:44:19.149939865 +0100
@@ -3768,8 +3768,11 @@
fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
if (fgot < ImageInfo->Thumbnail.size) {
EXIF_ERRLOG_THUMBEOF(ImageInfo)
+ efree(ImageInfo->Thumbnail.data);
+ ImageInfo->Thumbnail.data = NULL;
+ } else {
+ exif_thumbnail_build(ImageInfo TSRMLS_CC);
}
- exif_thumbnail_build(ImageInfo TSRMLS_CC);
}
#ifdef EXIF_DEBUG
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done");

@ -0,0 +1,76 @@
Index: php5-5.4.45/ext/wddx/tests/bug72749.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72749.phpt 2016-12-09 15:45:36.387804112 +0100
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72749: wddx_deserialize allows illegal memory access
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+$xml = <<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <var name='aDateTime3'>
+ <dateTime>2\r2004-09-10T05:52:49+00</dateTime>
+ </var>
+ </struct>
+ </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+ ["aDateTime3"]=>
+ string(24) "2
+2004-09-10T05:52:49+00"
+}
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 15:45:36.395803891 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 15:45:36.391804001 +0100
@@ -1105,18 +1105,26 @@
case ST_DATETIME: {
char *tmp;
- tmp = emalloc(len + 1);
- memcpy(tmp, s, len);
+ if (Z_TYPE_P(ent->data) == IS_STRING) {
+ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1);
+ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data));
+ memcpy(tmp + Z_STRLEN_P(ent->data), s, len);
+ len += Z_STRLEN_P(ent->data);
+ efree(Z_STRVAL_P(ent->data));
+ Z_TYPE_P(ent->data) = IS_LONG;
+ } else {
+ tmp = emalloc(len + 1);
+ memcpy(tmp, s, len);
+ }
tmp[len] = '\0';
Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL);
/* date out of range < 1969 or > 2038 */
if (Z_LVAL_P(ent->data) == -1) {
- Z_TYPE_P(ent->data) = IS_STRING;
- Z_STRLEN_P(ent->data) = len;
- Z_STRVAL_P(ent->data) = estrndup(s, len);
+ ZVAL_STRINGL(ent->data, tmp, len, 0);
+ } else {
+ efree(tmp);
}
- efree(tmp);
}
break;

@ -0,0 +1,58 @@
Index: php5-5.4.45/ext/wddx/tests/bug72750.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72750.phpt 2016-12-09 15:46:12.490805829 +0100
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72750: wddx_deserialize null dereference
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<< XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <var name='aBinary'>
+ <binary length='11'>\\tYmluYXJRhdGE=</binary>
+ </var>
+ </struct>
+ </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+ ["aBinary"]=>
+ string(0) ""
+}
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 15:46:12.498805608 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 15:46:12.490805829 +0100
@@ -942,8 +942,12 @@
new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
STR_FREE(Z_STRVAL_P(ent1->data));
- Z_STRVAL_P(ent1->data) = new_str;
- Z_STRLEN_P(ent1->data) = new_len;
+ if (new_str) {
+ Z_STRVAL_P(ent1->data) = new_str;
+ Z_STRLEN_P(ent1->data) = new_len;
+ } else {
+ ZVAL_EMPTY_STRING(ent1->data);
+ }
}
/* Call __wakeup() method on the object. */

@ -0,0 +1,105 @@
Index: php5-5.4.45/ext/wddx/tests/bug72790.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72790.phpt 2016-12-09 15:55:07.064019273 +0100
@@ -0,0 +1,35 @@
+--TEST--
+Bug 72790: wddx_deserialize null dereference with invalid xml
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<< XML
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+ |array>
+ <var name="XXXX">
+ <boolean value="this">
+ </boolean>
+ </var>
+ <var name="YYYY">
+ <var name="UUUU">
+ <var name="EZEZ">
+ </var>
+ </var>
+ </var>
+ </array>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+NULL
\ No newline at end of file
Index: php5-5.4.45/ext/wddx/tests/bug72799.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72799.phpt 2016-12-09 15:55:07.064019273 +0100
@@ -0,0 +1,28 @@
+--TEST--
+Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version="1.0">
+ <var name="XXXX">
+ <boolean value="1">
+ <dateTime>1998-06-12T04:32:12+00</dateTime>
+ </boolean>
+ </var>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+NULL
\ No newline at end of file
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 15:55:07.072019052 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 15:55:07.064019273 +0100
@@ -971,7 +971,7 @@
wddx_stack_top(stack, (void**)&ent2);
/* if non-existent field */
- if (ent2->type == ST_FIELD && ent2->data == NULL) {
+ if (ent2->data == NULL) {
zval_ptr_dtor(&ent1->data);
efree(ent1);
return;
@@ -1161,9 +1161,13 @@
if (stack.top == 1) {
wddx_stack_top(&stack, (void**)&ent);
- *return_value = *(ent->data);
- zval_copy_ctor(return_value);
- retval = SUCCESS;
+ if(ent->data == NULL) {
+ retval = FAILURE;
+ } else {
+ *return_value = *(ent->data);
+ zval_copy_ctor(return_value);
+ retval = SUCCESS;
+ }
} else {
retval = FAILURE;
}

@ -0,0 +1,71 @@
Index: php5-5.4.45/Zend/zend_objects_API.c
===================================================================
--- php5-5.4.45.orig/Zend/zend_objects_API.c 2016-12-09 15:56:42.813367317 +0100
+++ php5-5.4.45/Zend/zend_objects_API.c 2016-12-09 15:56:42.809367428 +0100
@@ -215,7 +215,7 @@
} zend_end_try();
}
}
-
+
/* re-read the object from the object store as the store might have been reallocated in the dtor */
obj = &EG(objects_store).object_buckets[handle].bucket.obj;
@@ -306,8 +306,8 @@
{
zend_object_handle handle = Z_OBJ_HANDLE_P(zobject);
zend_object_store_bucket *obj_bucket = &EG(objects_store).object_buckets[handle];
-
- obj_bucket->bucket.obj.handlers = Z_OBJ_HT_P(zobject);;
+
+ obj_bucket->bucket.obj.handlers = Z_OBJ_HT_P(zobject);
obj_bucket->destructor_called = 1;
}
Index: php5-5.4.45/ext/standard/tests/serialize/bug73052.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/serialize/bug73052.phpt 2016-12-09 15:56:42.809367428 +0100
@@ -0,0 +1,18 @@
+--TEST--
+Bug #73052: Memory Corruption in During Deserialized-object Destruction
+--FILE--
+<?php
+
+class obj {
+ var $ryat;
+ public function __destruct() {
+ $this->ryat = null;
+ }
+}
+
+$poc = 'O:3:"obj":1:{';
+var_dump(unserialize($poc));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d
+bool(false)
Index: php5-5.4.45/ext/standard/var_unserializer.c
===================================================================
--- php5-5.4.45.orig/ext/standard/var_unserializer.c 2016-12-09 15:56:42.813367317 +0100
+++ php5-5.4.45/ext/standard/var_unserializer.c 2016-12-09 15:56:42.809367428 +0100
@@ -440,6 +440,7 @@
/* We've got partially constructed object on our hands here. Wipe it. */
if(Z_TYPE_PP(rval) == IS_OBJECT) {
zend_hash_clean(Z_OBJPROP_PP(rval));
+ zend_object_store_ctor_failed(*rval TSRMLS_CC);
}
ZVAL_NULL(*rval);
return 0;
Index: php5-5.4.45/ext/standard/var_unserializer.re
===================================================================
--- php5-5.4.45.orig/ext/standard/var_unserializer.re 2016-12-09 15:56:42.813367317 +0100
+++ php5-5.4.45/ext/standard/var_unserializer.re 2016-12-09 15:56:42.809367428 +0100
@@ -446,6 +446,7 @@
/* We've got partially constructed object on our hands here. Wipe it. */
if(Z_TYPE_PP(rval) == IS_OBJECT) {
zend_hash_clean(Z_OBJPROP_PP(rval));
+ zend_object_store_ctor_failed(*rval TSRMLS_CC);
}
ZVAL_NULL(*rval);
return 0;

@ -0,0 +1,45 @@
Index: php5-5.4.45/ext/spl/spl_array.c
===================================================================
--- php5-5.4.45.orig/ext/spl/spl_array.c 2016-12-09 15:58:15.058812500 +0100
+++ php5-5.4.45/ext/spl/spl_array.c 2016-12-09 15:58:15.054812611 +0100
@@ -306,7 +306,7 @@
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
- if (!offset) {
+ if (!offset || !ht) {
return &EG(uninitialized_zval_ptr);
}
@@ -1808,7 +1808,9 @@
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ALLOC_INIT_ZVAL(intern->array);
- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
+ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
+ zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);
Index: php5-5.4.45/ext/spl/tests/bug73029.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/spl/tests/bug73029.phpt 2016-12-09 15:58:15.054812611 +0100
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73029: Missing type check when unserializing SplArray
+--FILE--
+<?php
+try {
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
+$m = unserialize($a);
+$x = $m[2];
+} catch(UnexpectedValueException $e) {
+ print $e->getMessage() . "\n";
+}
+?>
+DONE
+--EXPECTF--
+Error at offset 10 of 19 bytes
+DONE

@ -0,0 +1,73 @@
Index: php5-5.4.45/ext/phar/util.c
===================================================================
--- php5-5.4.45.orig/ext/phar/util.c 2016-12-09 15:59:08.117343042 +0100
+++ php5-5.4.45/ext/phar/util.c 2016-12-09 15:59:08.109343264 +0100
@@ -1928,6 +1928,13 @@
unsigned char digest[64];
PHP_SHA512_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_SHA512Init(&context);
read_len = end_of_phar;
@@ -1961,6 +1968,13 @@
unsigned char digest[32];
PHP_SHA256_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_SHA256Init(&context);
read_len = end_of_phar;
@@ -2002,6 +2016,13 @@
unsigned char digest[20];
PHP_SHA1_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_SHA1Init(&context);
read_len = end_of_phar;
@@ -2035,6 +2056,13 @@
unsigned char digest[16];
PHP_MD5_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_MD5Init(&context);
read_len = end_of_phar;
Index: php5-5.4.45/ext/phar/zip.c
===================================================================
--- php5-5.4.45.orig/ext/phar/zip.c 2016-12-09 15:59:08.117343042 +0100
+++ php5-5.4.45/ext/phar/zip.c 2016-12-09 15:59:08.109343264 +0100
@@ -430,7 +430,7 @@
php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
sig = (char *) emalloc(entry.uncompressed_filesize);
read = php_stream_read(fp, sig, entry.uncompressed_filesize);
- if (read != entry.uncompressed_filesize) {
+ if (read != entry.uncompressed_filesize || read <= 8) {
php_stream_close(sigfile);
efree(sig);
PHAR_ZIP_FAIL("signature cannot be read");

@ -0,0 +1,13 @@
Index: php5-5.4.45/ext/intl/msgformat/msgformat_format.c
===================================================================
--- php5-5.4.45.orig/ext/intl/msgformat/msgformat_format.c 2016-12-09 16:00:05.899742789 +0100
+++ php5-5.4.45/ext/intl/msgformat/msgformat_format.c 2016-12-09 16:00:05.895742899 +0100
@@ -135,6 +135,8 @@
RETURN_FALSE;
}
+ INTL_CHECK_LOCALE_LEN(slocale_len);
+
msgformat_data_init(&mfo->mf_data TSRMLS_CC);
if(pattern && pattern_len) {

@ -0,0 +1,27 @@
Index: php5-5.4.45/ext/mysqlnd/mysqlnd_wireprotocol.c
===================================================================
--- php5-5.4.45.orig/ext/mysqlnd/mysqlnd_wireprotocol.c 2016-12-09 16:00:51.114490615 +0100
+++ php5-5.4.45/ext/mysqlnd/mysqlnd_wireprotocol.c 2016-12-09 16:00:51.110490725 +0100
@@ -1523,6 +1523,7 @@
zend_uchar * p = row_buffer->ptr;
size_t data_size = row_buffer->app;
zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */
+ const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;
DBG_ENTER("php_mysqlnd_rowp_read_text_protocol");
@@ -1544,8 +1545,13 @@
/* Don't reverse the order. It is significant!*/
zend_uchar *this_field_len_pos = p;
/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */
- unsigned long len = php_mysqlnd_net_field_length(&p);
+ const unsigned long len = php_mysqlnd_net_field_length(&p);
+ if (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) {
+ php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC
+ " bytes after end of packet", (p + len) - packet_end - 1);
+ DBG_RETURN(FAIL);
+ }
if (current_field > start_field && last_field_was_string) {
/*
Normal queries:

@ -0,0 +1,180 @@
Index: php5-5.4.45/ext/wddx/tests/bug73065.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug73065.phpt 2016-12-09 16:05:00.999570678 +0100
@@ -0,0 +1,98 @@
+--TEST--
+Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml1 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <var Name="name">
+ <boolean value="keliu"></boolean>
+ </var>
+ <var name="1111">
+ <var name="2222">
+ <var name="3333"></var>
+ </var>
+ </var>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml2 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <char Name="code">
+ <boolean value="keliu"></boolean>
+ </char>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml3 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <boolean Name="value">
+ <boolean value="keliu"></boolean>
+ </boolean>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml4 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <recordset Name="fieldNames">
+ <boolean value="keliu"></boolean>
+ </recordset>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml5 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <field Name="name">
+ <boolean value="keliu"></boolean>
+ </field>
+ </array>
+ </wddxPacket>
+XML;
+
+for($i=1;$i<=5;$i++) {
+ $xmlvar = "xml$i";
+ $array = wddx_deserialize($$xmlvar);
+ var_dump($array);
+}
+?>
+DONE
+--EXPECTF--
+array(0) {
+}
+array(0) {
+}
+array(0) {
+}
+array(1) {
+ [0]=>
+ array(0) {
+ }
+}
+array(0) {
+}
+DONE
\ No newline at end of file
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 16:05:01.003570567 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 16:05:56.586031433 +0100
@@ -773,10 +773,10 @@
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
char tmp_buf[2];
- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16));
+ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16));
php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf));
break;
}
@@ -794,7 +794,7 @@
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
@@ -802,7 +802,7 @@
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
- php_wddx_process_data(user_data, atts[i], strlen(atts[i]));
+ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
}
@@ -835,8 +835,8 @@
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
- stack->varname = estrdup(atts[i]);
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+ stack->varname = estrdup(atts[i+1]);
break;
}
}
@@ -849,11 +849,12 @@
array_init(ent.data);
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
zval *tmp;
char *key;
char *p1, *p2, *endp;
+ i++;
endp = (char *)atts[i] + strlen(atts[i]);
p1 = (char *)atts[i];
while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
@@ -885,13 +886,13 @@
ent.data = NULL;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
st_entry *recordset;
zval **field;
if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
recordset->type == ST_RECORDSET &&
- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
+ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) {
ent.data = *field;
}

@ -0,0 +1,47 @@
Index: php5-5.4.45/ext/wddx/tests/bug72860.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72860.phpt 2016-12-09 16:08:37.893564834 +0100
@@ -0,0 +1,27 @@
+--TEST--
+Bug #72860: wddx_deserialize use-after-free
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+ <recordset fieldNames='F'>
+ <field name='F'>
+ </recordset>
+</wddxPacket>
+XML;
+
+var_dump(wddx_deserialize($xml));
+?>
+DONE
+--EXPECT--
+NULL
+DONE
\ No newline at end of file
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 16:08:37.901564613 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 16:08:37.893564834 +0100
@@ -232,7 +232,8 @@
if (stack->elements) {
for (i = 0; i < stack->top; i++) {
- if (((st_entry *)stack->elements[i])->data) {
+ if (((st_entry *)stack->elements[i])->data
+ && ((st_entry *)stack->elements[i])->type != ST_FIELD) {
zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
}
if (((st_entry *)stack->elements[i])->varname) {
Loading…
Cancel
Save