File CVE-2014-3515.patch-not-working of Package php-5.3.29

File CVE-2014-3515.patch-not-working of Package php-5.3.29 (Revision 1)

Currently displaying revision 1, show latest

From 88223c5245e9b470e1e6362bfd96829562ffe6ab Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 21 Jun 2014 19:46:16 -0700
Subject: [PATCH] Fix bug #67492: unserialize() SPL ArrayObject /
 SPLObjectStorage Type Confusion

---
 NEWS                                                | 2 ++
 ext/spl/spl_array.c                                 | 2 +-
 ext/spl/spl_observer.c                              | 2 +-
 ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 507b545..24ce950 100644
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,8 @@ PHP                                                                        NEWS
   . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
   . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence)
   . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam)
+  . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type 
+    Confusion). (Stefan Esser)
 
 29 May 2014, PHP 5.4.29
 
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 758947a..bf034ab 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1808,7 +1808,7 @@ SPL_METHOD(Array, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 1a706f7..da9110b 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
index a525317..8f0676d 100644
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -7,6 +7,7 @@ $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
 );
 foreach($badblobs as $blob) {
 try {
@@ -17,6 +18,7 @@ try {
 	echo $e->getMessage()."\n";
 }
 }
+echo "DONE\n";
 --EXPECTF--
 Error at offset 6 of 34 bytes
 Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
     }
   }
 }
-
+Error at offset 79 of 78 bytes
+DONE
-- 
1.9.3