diff options
author | Stanislav Malyshev <stas@php.net> | 2015-09-01 12:06:41 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-09-01 12:06:41 -0700 |
commit | c19d59c550053ffa797fce59aadf7bc79727390c (patch) | |
tree | 71dfde3c820dc4027966fcdd5d04b32ee90090e8 /ext/standard/var.c | |
parent | 45e7e79485f27ed22feb206cfe360718c424bf1a (diff) | |
parent | 31b634bf7cb8e3de1dfa71418e348133c2365933 (diff) | |
download | php-git-c19d59c550053ffa797fce59aadf7bc79727390c.tar.gz |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
5.4.45 next
Conflicts:
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/zip/php_zip.c
Diffstat (limited to 'ext/standard/var.c')
-rw-r--r-- | ext/standard/var.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/ext/standard/var.c b/ext/standard/var.c index 3f2c0d7887..8d8f68aa68 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -373,7 +373,7 @@ static int php_array_element_export(zval **zv TSRMLS_DC, int num_args, va_list a smart_str_appendc(buf, ','); smart_str_appendc(buf, '\n'); - + return 0; } /* }}} */ @@ -392,7 +392,7 @@ static int php_object_element_export(zval **zv TSRMLS_DC, int num_args, va_list const char *pname; char *pname_esc; int pname_esc_len; - + zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, &class_name, &pname); pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0, @@ -469,7 +469,7 @@ PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC) buffer_append_spaces(buf, level - 1); } smart_str_appendc(buf, ')'); - + break; case IS_OBJECT: @@ -799,7 +799,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var BG(serialize_lock)++; res = call_user_function_ex(CG(function_table), &struc, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC); BG(serialize_lock)--; - + if (EG(exception)) { if (retval_ptr) { zval_ptr_dtor(&retval_ptr); @@ -948,6 +948,8 @@ PHP_FUNCTION(unserialize) int buf_len; const unsigned char *p; php_unserialize_data_t var_hash; + int oldlevel; + zval *old_rval = return_value; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { RETURN_FALSE; @@ -967,6 +969,20 @@ PHP_FUNCTION(unserialize) } RETURN_FALSE; } + if (return_value != old_rval) { + /* + * Terrible hack due to the fact that executor passes us zval *, + * but unserialize with r/R wants to replace it with another zval * + */ + zval_dtor(old_rval); + *old_rval = *return_value; + zval_copy_ctor(old_rval); + var_push_dtor_no_addref(&var_hash, &return_value); + /* FIXME: old_rval is not freed in some scenarios, see bug #70172 + var_push_dtor_no_addref(&var_hash, &old_rval); */ + } else { + var_push_dtor(&var_hash, &return_value); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); } /* }}} */ |