diff options
| author | Remi Collet <fedora@famillecollet.com> | 2016-01-06 17:23:22 +0100 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2016-01-06 17:23:22 +0100 |
| commit | 08069d1e5b43644dc9cac9bd4d645304320cc0d0 (patch) | |
| tree | f8988aebb20c1daa63e0fce4266696746239d06b /bug70661.patch | |
| parent | 70444173463d55a2a01c10de14a0a092bc6db3ef (diff) | |
PHP 5.4.45 with security patches from 5.5.31
Diffstat (limited to 'bug70661.patch')
| -rw-r--r-- | bug70661.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/bug70661.patch b/bug70661.patch new file mode 100644 index 0000000..90eae74 --- /dev/null +++ b/bug70661.patch @@ -0,0 +1,104 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From dcf3c9761c31e12011ba202f30caff53aae2056c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 28 Dec 2015 14:46:35 -0800 +Subject: [PATCH] Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet + Deserialization) + +--- + NEWS | 2 ++ + ext/wddx/tests/bug70661.phpt | 69 ++++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 2 +- + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100644 ext/wddx/tests/bug70661.phpt + +diff --git a/ext/wddx/tests/bug70661.phpt b/ext/wddx/tests/bug70661.phpt +new file mode 100644 +index 0000000..e068c20 +--- /dev/null ++++ b/ext/wddx/tests/bug70661.phpt +@@ -0,0 +1,69 @@ ++--TEST-- ++Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization) ++--SKIPIF-- ++<?php ++if (!extension_loaded("wddx")) print "skip"; ++?> ++--FILE-- ++<?php ++$fakezval = ptr2str(1122334455); ++$fakezval .= ptr2str(0); ++$fakezval .= "\x00\x00\x00\x00"; ++$fakezval .= "\x01"; ++$fakezval .= "\x00"; ++$fakezval .= "\x00\x00"; ++ ++$x = <<<EOT ++<?xml version='1.0'?> ++<wddxPacket version='1.0'> ++<header/> ++ <data> ++ <struct> ++ <recordset rowCount='1' fieldNames='ryat'> ++ <field name='ryat'> ++ <var name='php_class_name'> ++ <string>stdClass</string> ++ </var> ++ <null/> ++ </field> ++ </recordset> ++ </struct> ++ </data> ++</wddxPacket> ++EOT; ++ ++$y = wddx_deserialize($x); ++ ++for ($i = 0; $i < 5; $i++) { ++ $v[$i] = $fakezval.$i; ++} ++ ++var_dump($y); ++ ++function ptr2str($ptr) ++{ ++ $out = ''; ++ ++ for ($i = 0; $i < 8; $i++) { ++ $out .= chr($ptr & 0xff); ++ $ptr >>= 8; ++ } ++ ++ return $out; ++} ++?> ++DONE ++--EXPECTF-- ++array(1) { ++ [0]=> ++ array(1) { ++ ["ryat"]=> ++ array(2) { ++ ["php_class_name"]=> ++ string(8) "stdClass" ++ [0]=> ++ NULL ++ } ++ } ++} ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 8017620..b9dd1fa 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -978,7 +978,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + + if (ent1->varname) { + if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && +- Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) { ++ Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) { + zend_bool incomplete_class = 0; + + zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); |