1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Description: fix arbitrary code exection via process_nested_data use-after-free
Origin: backport, https://github.com/php/php-src/commit/780222f97f47644a6a118ada86a269a96a1e8134
Origin: backport, https://github.com/php/php-src/commit/d76b293ac71aa5bd4e9a433192afef6e0dd5a4ee
Bug: https://bugs.php.net/bug.php?id=68976
Index: php5-5.3.10/ext/standard/var_unserializer.c
===================================================================
--- php5-5.3.10.orig/ext/standard/var_unserializer.c 2015-04-17 06:24:38.154295164 -0400
+++ php5-5.3.10/ext/standard/var_unserializer.c 2015-04-17 06:24:38.154295164 -0400
@@ -304,6 +304,7 @@
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
sizeof data, NULL);
}
+ var_push_dtor(var_hash, &data);
zval_dtor(key);
FREE_ZVAL(key);
Index: php5-5.3.10/ext/standard/var_unserializer.re
===================================================================
--- php5-5.3.10.orig/ext/standard/var_unserializer.re 2015-04-17 06:24:38.154295164 -0400
+++ php5-5.3.10/ext/standard/var_unserializer.re 2015-04-17 06:24:38.154295164 -0400
@@ -310,6 +310,7 @@
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
sizeof data, NULL);
}
+ var_push_dtor(var_hash, &data);
zval_dtor(key);
FREE_ZVAL(key);
|