You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
alpine-pkg/testing/php5.4/d06-u008-CVE-2016-7417.patch

45 lines
1.5 KiB

Index: php5-5.4.45/ext/spl/spl_array.c
===================================================================
--- php5-5.4.45.orig/ext/spl/spl_array.c 2016-12-09 15:58:15.058812500 +0100
+++ php5-5.4.45/ext/spl/spl_array.c 2016-12-09 15:58:15.054812611 +0100
@@ -306,7 +306,7 @@
long index;
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
- if (!offset) {
+ if (!offset || !ht) {
return &EG(uninitialized_zval_ptr);
}
@@ -1808,7 +1808,9 @@
intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
zval_ptr_dtor(&intern->array);
ALLOC_INIT_ZVAL(intern->array);
- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
+ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
+ zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);
Index: php5-5.4.45/ext/spl/tests/bug73029.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/spl/tests/bug73029.phpt 2016-12-09 15:58:15.054812611 +0100
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73029: Missing type check when unserializing SplArray
+--FILE--
+<?php
+try {
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
+$m = unserialize($a);
+$x = $m[2];
+} catch(UnexpectedValueException $e) {
+ print $e->getMessage() . "\n";
+}
+?>
+DONE
+--EXPECTF--
+Error at offset 10 of 19 bytes
+DONE