You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
alpine-pkg/testing/php5.4/d06-u007-CVE-2016-7411.patch

71 lines
2.6 KiB

Index: php5-5.4.45/Zend/zend_objects_API.c
===================================================================
--- php5-5.4.45.orig/Zend/zend_objects_API.c 2016-12-09 15:56:42.813367317 +0100
+++ php5-5.4.45/Zend/zend_objects_API.c 2016-12-09 15:56:42.809367428 +0100
@@ -215,7 +215,7 @@
} zend_end_try();
}
}
-
+
/* re-read the object from the object store as the store might have been reallocated in the dtor */
obj = &EG(objects_store).object_buckets[handle].bucket.obj;
@@ -306,8 +306,8 @@
{
zend_object_handle handle = Z_OBJ_HANDLE_P(zobject);
zend_object_store_bucket *obj_bucket = &EG(objects_store).object_buckets[handle];
-
- obj_bucket->bucket.obj.handlers = Z_OBJ_HT_P(zobject);;
+
+ obj_bucket->bucket.obj.handlers = Z_OBJ_HT_P(zobject);
obj_bucket->destructor_called = 1;
}
Index: php5-5.4.45/ext/standard/tests/serialize/bug73052.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/serialize/bug73052.phpt 2016-12-09 15:56:42.809367428 +0100
@@ -0,0 +1,18 @@
+--TEST--
+Bug #73052: Memory Corruption in During Deserialized-object Destruction
+--FILE--
+<?php
+
+class obj {
+ var $ryat;
+ public function __destruct() {
+ $this->ryat = null;
+ }
+}
+
+$poc = 'O:3:"obj":1:{';
+var_dump(unserialize($poc));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d
+bool(false)
Index: php5-5.4.45/ext/standard/var_unserializer.c
===================================================================
--- php5-5.4.45.orig/ext/standard/var_unserializer.c 2016-12-09 15:56:42.813367317 +0100
+++ php5-5.4.45/ext/standard/var_unserializer.c 2016-12-09 15:56:42.809367428 +0100
@@ -440,6 +440,7 @@
/* We've got partially constructed object on our hands here. Wipe it. */
if(Z_TYPE_PP(rval) == IS_OBJECT) {
zend_hash_clean(Z_OBJPROP_PP(rval));
+ zend_object_store_ctor_failed(*rval TSRMLS_CC);
}
ZVAL_NULL(*rval);
return 0;
Index: php5-5.4.45/ext/standard/var_unserializer.re
===================================================================
--- php5-5.4.45.orig/ext/standard/var_unserializer.re 2016-12-09 15:56:42.813367317 +0100
+++ php5-5.4.45/ext/standard/var_unserializer.re 2016-12-09 15:56:42.809367428 +0100
@@ -446,6 +446,7 @@
/* We've got partially constructed object on our hands here. Wipe it. */
if(Z_TYPE_PP(rval) == IS_OBJECT) {
zend_hash_clean(Z_OBJPROP_PP(rval));
+ zend_object_store_ctor_failed(*rval TSRMLS_CC);
}
ZVAL_NULL(*rval);
return 0;