From 2f649ee4cbea50aaf88ae480ecfe36651dd135a2 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 22 Jul 2016 19:29:20 +0200 Subject: PHP 5.4.45 with security fix from 5.5.38 --- bug72562.patch | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 bug72562.patch (limited to 'bug72562.patch') diff --git a/bug72562.patch b/bug72562.patch new file mode 100644 index 0000000..cbed3d6 --- /dev/null +++ b/bug72562.patch @@ -0,0 +1,73 @@ +From 3798eb6fd5dddb211b01d41495072fd9858d4e32 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 12 Jul 2016 23:27:45 -0700 +Subject: [PATCH] Fix bug #72562 - destroy var_hash properly + +--- + ext/session/session.c | 3 ++- + ext/session/tests/bug72562.phpt | 44 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + create mode 100644 ext/session/tests/bug72562.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index f5439ea..cb6cc01 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -837,6 +837,7 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ + namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); + + if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { ++ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + return FAILURE; + } + +diff --git a/ext/session/tests/bug72562.phpt b/ext/session/tests/bug72562.phpt +new file mode 100644 +index 0000000..d85e48b +--- /dev/null ++++ b/ext/session/tests/bug72562.phpt +@@ -0,0 +1,44 @@ ++--TEST-- ++Bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization ++--SKIPIF-- ++ ++--FILE-- ++>= 8; ++ } ++ return $out; ++} ++?> ++--EXPECTF-- ++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/bug72562.php on line %d ++ ++Notice: unserialize(): Error at offset 0 of 1 bytes in %s/bug72562.php on line %d ++ ++Notice: unserialize(): Error at offset 4 of 4 bytes in %s/bug72562.php on line %d ++bool(false) -- cgit