summarylogtreecommitdiffstats
path: root/CVE-2014-3669.patch
blob: 5266f37dbcd86e7735f4f8a1ba076ccdcf90f6a5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

From 9aa90145239bae82d2af0a99fdae4ab27eb5f4f2 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 14:19:31 -0700
Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits
 only)

---
 ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++
 ext/standard/var_unserializer.c            |  4 ++--
 ext/standard/var_unserializer.re           |  2 +-
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/serialize/bug68044.phpt

Index: php5-5.3.10/ext/standard/tests/serialize/bug68044.phpt
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ php5-5.3.10/ext/standard/tests/serialize/bug68044.phpt	2014-10-28 10:47:49.392858855 -0400
@@ -0,0 +1,12 @@
+--TEST--
+Bug #68044 Integer overflow in unserialize() (32-bits only)
+--FILE--
+<?php
+	echo unserialize('C:3:"XYZ":18446744075857035259:{}');
+?>
+===DONE==
+--EXPECTF--
+Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2
+
+Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2
+===DONE==
Index: php5-5.3.10/ext/standard/var_unserializer.c
===================================================================
--- php5-5.3.10.orig/ext/standard/var_unserializer.c	2014-10-28 10:47:49.392858855 -0400
+++ php5-5.3.10/ext/standard/var_unserializer.c	2014-10-28 10:47:49.392858855 -0400
@@ -333,7 +333,7 @@
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}
Index: php5-5.3.10/ext/standard/var_unserializer.re
===================================================================
--- php5-5.3.10.orig/ext/standard/var_unserializer.re	2014-10-28 10:47:49.392858855 -0400
+++ php5-5.3.10/ext/standard/var_unserializer.re	2014-10-28 10:47:49.392858855 -0400
@@ -339,7 +339,7 @@
 
 	(*p) += 2;
 
-	if (datalen < 0 || (*p) + datalen >= max) {
+	if (datalen < 0 || (max - (*p)) <= datalen) {
 		zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
 		return 0;
 	}