Changes - j0ke.net Open Build Service

Changes of Revision 3

[-] [+]	Changed	php5.changes
@@ -1,4 +1,20 @@ ------------------------------------------------------------------- +Wed Mar 11 15:13:12 UTC 2015 - cs@linux-administrator.com + +- added php-CVE-2014-3597.patch +- added php-CVE-2014-3668.patch +- added php-CVE-2014-3669.patch +- added php-CVE-2014-3670.patch +- added php-CVE-2014-4670.patch +- added php-CVE-2014-4698.patch +- added php-CVE-2014-4721.patch +- added php-CVE-2014-8142.patch +- added php-CVE-2014-9652.patch +- added php-CVE-2015-0231.patch +- added php-CVE-2015-0232.patch +- added php-CVE-2015-0273.patch + +------------------------------------------------------------------- Fri Aug 15 09:39:00 UTC 2014 - cs@linux-administrator.com - update to release 5.3.29
[-] [+]	Changed	php5.spec ^
@@ -127,6 +127,19 @@ Patch21: php-5.3.4-session.patch Patch22: php-5.3.10-maillog-httphost.patch +Patch50: php-CVE-2014-3597.patch +Patch51: php-CVE-2014-3668.patch +Patch52: php-CVE-2014-3669.patch +Patch53: php-CVE-2014-3670.patch +Patch54: php-CVE-2014-4670.patch +Patch55: php-CVE-2014-4698.patch +Patch56: php-CVE-2014-4721.patch +Patch57: php-CVE-2014-8142.patch +Patch58: php-CVE-2014-9652.patch +Patch59: php-CVE-2015-0231.patch +Patch60: php-CVE-2015-0232.patch +Patch61: php-CVE-2015-0273.patch + Url: http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: PHP5 Core Files @@ -1226,6 +1239,19 @@ %patch21 %patch22 +%patch50 +%patch51 +%patch52 +%patch53 +%patch54 +%patch55 +%patch56 +%patch57 +%patch58 +%patch59 +%patch60 +%patch61 + # we build three SAPI %{__mkdir_p} build-apache2 build-fpm %{__mkdir_p} build-fastcgi/sapi/cgi/libfcgi
[-] [+]	Added	php-CVE-2014-3597.patch ^
@@ -0,0 +1,272 @@ +From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 19 Aug 2014 08:33:49 +0200 +Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597 + +Incomplete fix for CVE-2014-4049 + +Check possible buffer overflow +- pass real buffer end to dn_expand calls +- check buffer len before each read +--- + ext/standard/dns.c \| 84 ++++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 60 insertions(+), 24 deletions(-) + +Index: ext/standard/dns.c +=================================================================== +--- ext/standard/dns.c.orig 2014-09-09 11:30:36.342448937 +0200 ++++ ext/standard/dns.c 2014-09-09 11:44:59.066434153 +0200 +@@ -412,8 +412,14 @@ + + #if HAVE_FULL_DNS_FUNCS + ++#define CHECKCP(n) do { \ ++ if (cp + n > end) { \ ++ return NULL; \ ++ } \ ++} while (0) ++ + /* {{{ php_parserr / +-static u_char php_parserr(u_char cp, querybuf answer, int type_to_fetch, int store, zval *subarray) ++static u_char php_parserr(u_char cp, u_char end, querybuf answer, int type_to_fetch, int store, zval subarray) + { + u_short type, class, dlen; + u_long ttl; +@@ -425,16 +431,18 @@ + + subarray = NULL; + +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2); + if (n < 0) { + return NULL; + } + cp += n; + ++ CHECKCP(10); + GETSHORT(type, cp); + GETSHORT(class, cp); + GETLONG(ttl, cp); + GETSHORT(dlen, cp); ++ CHECKCP(dlen); + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -451,12 +459,14 @@ + add_assoc_string(subarray, "host", name, 1); + switch (type) { + case DNS_T_A: ++ CHECKCP(4); + add_assoc_string(subarray, "type", "A", 1); + snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]); + add_assoc_string(subarray, "ip", name, 1); + cp += dlen; + break; + case DNS_T_MX: ++ CHECKCP(2); + add_assoc_string(subarray, "type", "MX", 1); + GETSHORT(n, cp); + add_assoc_long(subarray, "pri", n); +@@ -475,7 +485,7 @@ + if (type == DNS_T_PTR) { + add_assoc_string(subarray, "type", "PTR", 1); + } +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -485,18 +495,22 @@ + case DNS_T_HINFO: + /* See RFC 1010 for values / + add_assoc_string(subarray, "type", "HINFO", 1); ++ CHECKCP(1); + n = cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(subarray, "cpu", (char)cp, n, 1); + cp += n; ++ CHECKCP(1); + n = cp & 0xFF; + cp++; ++ CHECKCP(n); + add_assoc_stringl(subarray, "os", (char)cp, n, 1); + cp += n; + break; + case DNS_T_TXT: + { +- int ll = 0; ++ int l1 = 0, l2 = 0; + zval entries = NULL; + + add_assoc_string(subarray, "type", "TXT", 1); +@@ -505,37 +519,41 @@ + MAKE_STD_ZVAL(entries); + array_init(entries); + +- while (ll < dlen) { +- n = cp[ll]; +- if ((ll + n) >= dlen) { ++ while (l1 < dlen) { ++ n = cp[l1]; ++ if ((l1 + n) >= dlen) { + // Invalid chunk length, truncate +- n = dlen - (ll + 1); ++ n = dlen - (l1 + 1); + } +- memcpy(tp + ll , cp + ll + 1, n); +- add_next_index_stringl(entries, cp + ll + 1, n, 1); +- ll = ll + n + 1; ++ if (n) { ++ memcpy(tp + l2 , cp + l1 + 1, n); ++ add_next_index_stringl(entries, cp + l1 + 1, n, 1); ++ } ++ l1 = l1 + n + 1; ++ l2 = l2 + n; + } +- tp[dlen] = '\0'; ++ tp[l2] = '\0'; + cp += dlen; + +- add_assoc_stringl(subarray, "txt", tp, dlen - 1, 0); ++ add_assoc_stringl(subarray, "txt", tp, l2, 0); + add_assoc_zval(subarray, "entries", entries); + } + break; + case DNS_T_SOA: + add_assoc_string(subarray, "type", "SOA", 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(subarray, "mname", name, 1); +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); + if (n < 0) { + return NULL; + } + cp += n; + add_assoc_string(subarray, "rname", name, 1); ++ CHECKCP(54); + GETLONG(n, cp); + add_assoc_long(subarray, "serial", n); + GETLONG(n, cp); +@@ -549,6 +567,7 @@ + break; + case DNS_T_AAAA: + tp = (u_char)name; ++ CHECKCP(82); + for(i=0; i < 8; i++) { + GETSHORT(s, cp); + if (s != 0) { +@@ -583,6 +602,7 @@ + case DNS_T_A6: + p = cp; + add_assoc_string(subarray, "type", "A6", 1); ++ CHECKCP(1); + n = ((int)cp[0]) & 0xFF; + cp++; + add_assoc_long(subarray, "masklen", n); +@@ -618,6 +638,7 @@ + cp++; + } + for (i = (n + 8) / 16; i < 8; i++) { ++ CHECKCP(2); + GETSHORT(s, cp); + if (s != 0) { + if (tp > (u_char )name) { +@@ -647,7 +668,7 @@ + tp[0] = '\0'; + add_assoc_string(subarray, "ipv6", name, 1); + if (cp < p + dlen) { +- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); ++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); + if (n < 0) { + return NULL; + } +@@ -656,6 +677,7 @@ + } + break; + case DNS_T_SRV: ++ CHECKCP(32); + add_assoc_string(subarray, "type", "SRV", 1); + GETSHORT(n, cp); + add_assoc_long(subarray, "pri", n); +@@ -663,7 +685,7 @@ + add_assoc_long(subarray, "weight", n); + GETSHORT(n, cp);
[-] [+]	Added	php-CVE-2014-3668.patch ^
@@ -0,0 +1,56 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fxmlrpc%2Flibxmlrpc%2Fxmlrpc.c;h=b766a5495a41b3ecd5eecdcfae901c9068937da0;hp=ce70c2afd909b748f3ddc4560a1c3f882a498014;hb=88412772d295ebf7dd34409534507dc9bcac726e;hpb=82b07b62c06e9e55ab3590f20bd80a84ce73a801 + +diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c +index ce70c2a..b766a54 100644 +--- ext/xmlrpc/libxmlrpc/xmlrpc.c ++++ ext/xmlrpc/libxmlrpc/xmlrpc.c +@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char text, time_t value) { + n = 10; + tm.tm_mon = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+4]) + tm.tm_mon += (text[i+4]-'0')n; + n /= 10; + } + tm.tm_mon --; ++ if(tm.tm_mon < 0 \|\| tm.tm_mon > 11) { ++ return -1; ++ } + + n = 10; + tm.tm_mday = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+6]) + tm.tm_mday += (text[i+6]-'0')n; + n /= 10; + } +@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char text, time_t value) { + n = 10; + tm.tm_hour = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+9]) + tm.tm_hour += (text[i+9]-'0')n; + n /= 10; + } +@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char text, time_t * value) { + n = 10; + tm.tm_min = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+12]) + tm.tm_min += (text[i+12]-'0')n; + n /= 10; + } +@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char text, time_t * value) { + n = 10; + tm.tm_sec = 0; + for(i = 0; i < 2; i++) { +- XMLRPC_IS_NUMBER(text[i]) ++ XMLRPC_IS_NUMBER(text[i+15]) + tm.tm_sec += (text[i+15]-'0')*n; + n /= 10; + } +
[-] [+]	Added	php-CVE-2014-3669.patch ^
@@ -0,0 +1,15 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Fvar_unserializer.re;h=6de158392e116823eaba710dbf221e722e351250;hp=130750805f462a4a79cddf5a96e95bf2e63bf432;hb=56754a7f9eba0e4f559b6ca081d9f2a447b3f159;hpb=88412772d295ebf7dd34409534507dc9bcac726e + +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 1307508..6de1583 100644 +--- ext/standard/var_unserializer.re ++++ ext/standard/var_unserializer.re +@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry ce) + + (p) += 2; + +- if (datalen < 0 \|\| (p) + datalen >= max) { ++ if (datalen < 0 \|\| (max - (p)) <= datalen) { + zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); + return 0; + }
[-] [+]	Added	php-CVE-2014-3670.patch ^
@@ -0,0 +1,21 @@ +-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=637ebf9289b40d157fdf8edcdddeb3d907b28d9b;hp=38907b4d942a8d2419060a688aa3c5e5dedcb118;hb=ddb207e7fa2e9adeba021a1303c3781efda5409b;hpb=d1e030db02f402efebfe2976482dd7e7ebe2956f + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 38907b4..637ebf9 100644 +--- ext/exif/exif.c ++++ ext/exif/exif.c +@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel + data_ptr += 8; + break; + case TAG_FMT_SINGLE: +- memmove(data_ptr, &info_data->value.f, byte_count); ++ memmove(data_ptr, &info_value->f, 4); + data_ptr += 4; + break; + case TAG_FMT_DOUBLE: +- memmove(data_ptr, &info_data->value.d, byte_count); ++ memmove(data_ptr, &info_value->d, 8); + data_ptr += 8; + break; + } +
[-] [+]	Added	php-CVE-2014-4670.patch ^
@@ -0,0 +1,29 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_dllist.c;h=0b44d414d82378bf2741fcd568dff20f407380a6;hp=39a0733b9ac78901cc7eaf9eba080ff060517771;hb=df78c48354f376cf419d7a97f88ca07d572f00fb;hpb=131e60ce569631b5b7c61b8392f545dde936df3e +--- ext/spl/spl_dllist.c ++++ ext/spl/spl_dllist.c +@@ -43,12 +43,10 @@ PHPAPI zend_class_entry spl_ce_SplStack; + + #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \ + efree(elem); \ +- elem = NULL; \ + } + + #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \ + efree(elem); \ +- elem = NULL; \ + } + + #define SPL_LLIST_ADDREF(elem) (elem)->rc++ +@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset) + llist->dtor(element TSRMLS_CC); + } + ++ if (intern->traverse_pointer == element) { ++ SPL_LLIST_DELREF(element); ++ intern->traverse_pointer = NULL; ++ } ++ + zval_ptr_dtor((zval *)&element->data); + element->data = NULL; + +
[-] [+]	Added	php-CVE-2014-4698.patch ^
@@ -0,0 +1,21 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=0fe47b651c13f80c35e612de5cf69ea306095fe6;hp=8392e72714b80483641b1a0d2b6e6389e3c22959;hb=22882a9d89712ff2b6ebc20a689a89452bba4dcd;hpb=df78c48354f376cf419d7a97f88ca07d572f00fb +Index: ext/spl/spl_array.c +=================================================================== +--- ext/spl/spl_array.c.orig 2014-07-17 15:57:13.633410017 +0200 ++++ ext/spl/spl_array.c 2014-07-17 15:57:13.649410017 +0200 +@@ -1753,8 +1753,15 @@ + { + const unsigned char p, s; + zval pmembers, pflags = NULL; ++ HashTable aht; + long flags; + ++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); ++ if (aht->nApplyCount > 0) { ++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited"); ++ return; ++ } ++ + / storage */ + s = p = buf; +
[-] [+]	Added	php-CVE-2014-4721.patch ^
@@ -0,0 +1,26 @@ +https://bugs.php.net/patch-display.php?bug_id=67498&patch=bug67948-patch&revision=latest +Index: ext/standard/info.c +=================================================================== +--- ext/standard/info.c.orig 2014-07-17 14:31:18.229508033 +0200 ++++ ext/standard/info.c 2014-07-17 14:31:18.373508031 +0200 +@@ -972,16 +972,16 @@ + + php_info_print_table_start(); + php_info_print_table_header(2, "Variable", "Value"); +- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void ) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void ) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void ) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void ) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void ) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void ) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); + } +- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void ) &data) != FAILURE) { ++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void ) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { + php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); + } + php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
[-] [+]	Added	php-CVE-2014-8142.patch ^
@@ -0,0 +1,15 @@ +http://git.php.net/?p=php-src.git;a=commitdiff;h=630f9c33c23639de85c3fd306b209b538b73b4c9 +index 7afef6a..4cf1d10 100644 +--- ext/standard/var_unserializer.re ++++ ext/standard/var_unserializer.re +@@ -347,6 +347,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable ht, long + } else { + / object properties should include no integers / + convert_to_string(key); ++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void *)&old_data)==SUCCESS) { ++ var_push_dtor(var_hash, old_data); ++ } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, + sizeof data, NULL); + } +
[-] [+]	Added	php-CVE-2014-9652.patch ^
@@ -0,0 +1,25 @@ +https://github.com/php/php-src/commit/ede59c8feb4b80e1b94e4abdaa0711051e2912ab +diff --git ext/fileinfo/libmagic/softmagic.c ext/fileinfo/libmagic/softmagic.c +index 7e0c856..e7b7855 100644 +--- ext/fileinfo/libmagic/softmagic.c ++++ ext/fileinfo/libmagic/softmagic.c +@@ -884,14 +884,17 @@ mconvert(struct magic_set ms, struct magic m, int flip) + size_t sz = file_pstring_length_size(m); + char ptr1 = p->s, ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) { ++ sz = sizeof(p->s) - sz; /* maximum length of string / ++ if (len >= sz) { + / + * The size of the pascal string length (sz) + * is 1, 2, or 4. We need at least 1 byte for NUL + * termination, but we've already truncated the + * string by p->s, so we need to deduct sz. ++ * Because we can use one of the bytes of the length ++ * after we shifted as NUL termination. + / +- len = sizeof(p->s) - sz; ++ len = sz; + } + while (len--) + ptr1++ = *ptr2++;
[-] [+]	Added	php-CVE-2015-0231.patch ^
@@ -0,0 +1,13 @@ +http://git.php.net/?p=php-src.git;a=commitdiff;h=e63f7b47e1937821e75e9862284c3150e1b1d524;hp=fc6aa939f59c9be0febe0fa141629e49541bab8c +--- ext/standard/var_unserializer.re ++++ ext/standard/var_unserializer.re +@@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable ht, long + } else { + / object properties should include no integers / + convert_to_string(key); +- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void )&old_data)==SUCCESS) { ++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void *)&old_data)==SUCCESS) { + var_push_dtor(var_hash, old_data); + } + zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, +
[-] [+]	Added	php-CVE-2015-0232.patch ^
@@ -0,0 +1,15 @@ +X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=7f95ff43ea7cc9a2c41a912863ed70069c0e34c5;hp=637ebf9289b40d157fdf8edcdddeb3d907b28d9b;hb=2fc178cf448d8e1b95d1314e47eeef610729e0df;hpb=f9ad3086693fce680fbe246e4a45aa92edd2ac35 + +index 637ebf9..7f95ff4 100644 +Index: ext/exif/exif.c +=================================================================== +--- ext/exif/exif.c.orig 2015-01-26 13:47:24.543632173 +0100 ++++ ext/exif/exif.c 2015-01-26 13:47:24.594632758 +0100 +@@ -2723,6 +2723,7 @@ + { + xp_field->tag = tag; + ++ xp_field->value = NULL; + /* Copy the comment / + #if EXIF_USE_MBSTRING + / What if MS supports big-endian with XP? */
[-] [+]	Added	php-CVE-2015-0273.patch ^
@@ -0,0 +1,52 @@ +https://bugs.php.net/patch-display.php?bug=68942&patch=patch-5.4&revision=1422773336 +commit a812c1f5bf3edc986d9ed0a3810cd7bb9eca1330 +Author: Stanislav Malyshev <stas@php.net> +Date: Sat Jan 31 22:40:08 2015 -0800 + + Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone) + + Conflicts: + ext/date/php_date.c + +Index: ext/date/php_date.c +=================================================================== +--- ext/date/php_date.c.orig 2015-02-25 09:20:30.425481283 +0100 ++++ ext/date/php_date.c 2015-02-25 09:24:57.483540522 +0100 +@@ -2539,15 +2539,12 @@ + timelib_tzinfo tzi; + php_timezone_obj tzobj; + +- if (zend_hash_find(myht, "date", 5, (void*) &z_date) == SUCCESS) { +- convert_to_string(z_date); +- if (zend_hash_find(myht, "timezone_type", 14, (void*) &z_timezone_type) == SUCCESS) { +- convert_to_long(z_timezone_type); +- if (zend_hash_find(myht, "timezone", 9, (void) &z_timezone) == SUCCESS) { ++ if (zend_hash_find(myht, "date", 5, (void) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { ++ if (zend_hash_find(myht, "timezone_type", 14, (void) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { ++ if (zend_hash_find(myht, "timezone", 9, (void) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { + zend_error_handling error_handling; + + zend_replace_error_handling(EH_THROW, NULL, &error_handling TSRMLS_CC); +- convert_to_string(z_timezone); + + switch (Z_LVAL_PP(z_timezone_type)) { + case TIMELIB_ZONETYPE_OFFSET: +@@ -2560,7 +2557,6 @@ + } + + case TIMELIB_ZONETYPE_ID: +- convert_to_string(z_timezone); + + tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); + +@@ -2617,7 +2613,9 @@ + + myht = Z_OBJPROP_P(object); + +- php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC); ++ if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { ++ php_error(E_ERROR, "Invalid serialization data for DateTime object"); ++ } + } + /* }}} */ +