You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
alpine-pkg/testing/php5.4/d05-u004-CVE-2016-5771.patch

77 lines
2.8 KiB

Index: php5-5.4.45/Zend/tests/gc_024.phpt
===================================================================
--- php5-5.4.45.orig/Zend/tests/gc_024.phpt 2016-08-19 14:41:43.000000000 +0200
+++ php5-5.4.45/Zend/tests/gc_024.phpt 2016-08-19 14:41:43.000000000 +0200
@@ -13,5 +13,5 @@
echo "ok\n";
?>
--EXPECT--
-int(1)
+int(2)
ok
Index: php5-5.4.45/ext/spl/spl_array.c
===================================================================
--- php5-5.4.45.orig/ext/spl/spl_array.c 2016-08-19 14:41:43.000000000 +0200
+++ php5-5.4.45/ext/spl/spl_array.c 2016-08-19 14:41:43.000000000 +0200
@@ -831,6 +831,16 @@
}
/* }}} */
+static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+ spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
+
+ *gc_data = &intern->array;
+ *gc_data_count = 1;
+ return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */
+
static zval *spl_array_read_property(zval *object, zval *member, int type, const zend_literal *key TSRMLS_DC) /* {{{ */
{
spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
@@ -1973,6 +1983,7 @@
spl_handler_ArrayObject.get_properties = spl_array_get_properties;
spl_handler_ArrayObject.get_debug_info = spl_array_get_debug_info;
+ spl_handler_ArrayObject.get_gc = spl_array_get_gc;
spl_handler_ArrayObject.read_property = spl_array_read_property;
spl_handler_ArrayObject.write_property = spl_array_write_property;
spl_handler_ArrayObject.get_property_ptr_ptr = spl_array_get_property_ptr_ptr;
Index: php5-5.4.45/ext/standard/tests/strings/bug72433.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/strings/bug72433.phpt 2016-08-19 14:41:43.000000000 +0200
@@ -0,0 +1,32 @@
+--TEST--
+Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
+--FILE--
+<?php
+// Fill any potential freed spaces until now.
+$filler = array();
+for($i = 0; $i < 100; $i++)
+ $filler[] = "";
+// Create our payload and unserialize it.
+$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
+$free_me = unserialize($serialized_payload);
+// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
+$inc_ref_by_one = $free_me[2];
+// The call to gc_collect_cycles will free '$free_me'.
+gc_collect_cycles();
+// We now have multiple freed spaces. Fill all of them.
+$fill_freed_space_1 = "filler_zval_1";
+$fill_freed_space_2 = "filler_zval_2";
+var_dump($free_me);
+?>
+--EXPECTF--
+array(3) {
+ [0]=>
+ *RECURSION*
+ [1]=>
+ *RECURSION*
+ [2]=>
+ object(ArrayObject)#%d (1) {
+ ["storage":"ArrayObject":private]=>
+ *RECURSION*
+ }
+}