From aae3fef56b0850352e715a7e860a69b33c34fe5d Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Wed, 9 Nov 2016 18:12:33 +0100
Subject: PHP 5.5.38 with minor security fix from 5.6.28

---
 bug73144.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 bug73144.patch

(limited to 'bug73144.patch')

diff --git a/bug73144.patch b/bug73144.patch
new file mode 100644
index 0000000..bfe8c3e
--- /dev/null
+++ b/bug73144.patch
@@ -0,0 +1,58 @@
+Backported from 5.6.28 by Remi.
+
+
+From b433034febb099835a61943986522eb246115910 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 23 Oct 2016 21:56:35 -0700
+Subject: [PATCH] Fix bug #73144 and bug #73341 - remove extra dtor
+
+---
+ ext/spl/spl_array.c                        |  2 +-
+ ext/standard/tests/serialize/bug73341.phpt | 24 ++++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/serialize/bug73341.phpt
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index 700d609..e7cbd1f 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -1798,7 +1798,7 @@ SPL_METHOD(Array, unserialize)
+ 		ALLOC_INIT_ZVAL(intern->array);
+ 		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
+ 				|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
+-			zval_ptr_dtor(&intern->array);
++			// zval_ptr_dtor(&intern->array);
+ 			goto outexcept;
+ 		}
+ 		var_push_dtor(&var_hash, &intern->array);
+diff --git a/ext/standard/tests/serialize/bug73341.phpt b/ext/standard/tests/serialize/bug73341.phpt
+new file mode 100644
+index 0000000..5542321
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug73341.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++Bug #73144 (Use-afte-free in ArrayObject Deserialization)
++--FILE--
++<?php
++try {
++$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0';
++$obj = unserialize($token);
++} catch(Exception $e) {
++	echo $e->getMessage()."\n";
++}
++
++try {
++$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}';
++$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
++unserialize($exploit);
++} catch(Exception $e) {
++	echo $e->getMessage()."\n";
++}
++?>
++--EXPECTF--
++Error at offset 6 of 7 bytes
++
++Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d
++Error at offset 24 of 34 bytes
+\ No newline at end of file
-- 
cgit