File php-CVE-2016-9934.patch of Package php7.3821

Overview Repositories Revisions Requests Users Attributes Meta

File php-CVE-2016-9934.patch of Package php7.3821

Index: php-7.0.7/ext/pdo/pdo_stmt.c
===================================================================
--- php-7.0.7.orig/ext/pdo/pdo_stmt.c	2016-05-25 15:13:50.000000000 +0200
+++ php-7.0.7/ext/pdo/pdo_stmt.c	2016-12-14 12:16:21.768022203 +0100
@@ -2299,6 +2299,7 @@ void pdo_stmt_init(void)
 	pdo_row_ce->ce_flags |= ZEND_ACC_FINAL; /* when removing this a lot of handlers need to be redone */
 	pdo_row_ce->create_object = pdo_row_new;
 	pdo_row_ce->serialize = pdo_row_serialize;
+	pdo_row_ce->unserialize = zend_class_unserialize_deny;
 }
 
 PDO_API void php_pdo_free_statement(pdo_stmt_t *stmt)
Index: php-7.0.7/ext/wddx/wddx.c
===================================================================
--- php-7.0.7.orig/ext/wddx/wddx.c	2016-12-14 12:16:21.772022309 +0100
+++ php-7.0.7/ext/wddx/wddx.c	2016-12-14 12:26:54.232829950 +0100
@@ -448,6 +448,16 @@ static void php_wddx_serialize_object(wd
 	zend_ulong idx;
 	char tmp_buf[WDDX_BUF_LEN];
 	HashTable *objhash, *sleephash;
+       zend_class_entry *ce;
+       PHP_CLASS_ATTRIBUTES;
+
+       PHP_SET_CLASS_ATTRIBUTES(obj);
+       ce = Z_OBJCE_P(obj);
+       if (!ce || ce->serialize || ce->unserialize) {
+               php_error_docref(NULL, E_WARNING, "Class %s can not be serialized", ZSTR_VAL(class_name));
+               PHP_CLEANUP_CLASS_ATTRIBUTES();
+               return;
+       }
 
 	ZVAL_STRING(&fname, "__sleep");
 	/*
@@ -468,8 +478,6 @@ static void php_wddx_serialize_object(wd
 			php_wddx_add_chunk_static(packet, WDDX_STRING_E);
 			php_wddx_add_chunk_static(packet, WDDX_VAR_E);
 
-			PHP_CLEANUP_CLASS_ATTRIBUTES();
-
 			objhash = Z_OBJPROP_P(obj);
 
 			ZEND_HASH_FOREACH_VAL(sleephash, varname) {
@@ -486,10 +494,6 @@ static void php_wddx_serialize_object(wd
 			php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
 		}
 	} else {
-		PHP_CLASS_ATTRIBUTES;
-
-		PHP_SET_CLASS_ATTRIBUTES(obj);
-
 		php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
 		snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
 		php_wddx_add_chunk(packet, tmp_buf);
@@ -498,8 +502,6 @@ static void php_wddx_serialize_object(wd
 		php_wddx_add_chunk_static(packet, WDDX_STRING_E);
 		php_wddx_add_chunk_static(packet, WDDX_VAR_E);
 
-		PHP_CLEANUP_CLASS_ATTRIBUTES();
-
 		objhash = Z_OBJPROP_P(obj);
 		ZEND_HASH_FOREACH_KEY_VAL(objhash, idx, key, ent) {
 			if (ent == obj) {
@@ -523,6 +525,8 @@ static void php_wddx_serialize_object(wd
 		php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
 	}
 
+       PHP_CLEANUP_CLASS_ATTRIBUTES();
+
 	zval_ptr_dtor(&fname);
 	zval_ptr_dtor(&retval);
 }
@@ -941,23 +945,28 @@ static void php_wddx_pop_element(void *u
 							pce = PHP_IC_ENTRY;
 						}
 
-						/* Initialize target object */
-						object_init_ex(&obj, pce);
-
-						/* Merge current hashtable with object's default properties */
-						zend_hash_merge(Z_OBJPROP(obj),
-										Z_ARRVAL(ent2->data),
-										zval_add_ref, 0);
-
-						if (incomplete_class) {
-							php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
-						}
-
-						/* Clean up old array entry */
-						zval_ptr_dtor(&ent2->data);
-
-						/* Set stack entry to point to the newly created object */
-						ZVAL_COPY_VALUE(&ent2->data, &obj);
+                                               if (pce != PHP_IC_ENTRY && (pce->serialize || pce->unserialize)) {
+                                                       ZVAL_UNDEF(&ent2->data);
+                                                       php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
+                                               } else {
+                                                       /* Initialize target object */
+                                                       object_init_ex(&obj, pce);
+
+                                                       /* Merge current hashtable with object's default properties */
+                                                       zend_hash_merge(Z_OBJPROP(obj),
+                                                                                       Z_ARRVAL(ent2->data),
+                                                                                       zval_add_ref, 0);
+
+                                                       if (incomplete_class) {
+                                                               php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+                                                       }
+
+                                                       /* Clean up old array entry */
+                                                       zval_ptr_dtor(&ent2->data);
+
+                                                       /* Set stack entry to point to the newly created object */
+                                                       ZVAL_COPY_VALUE(&ent2->data, &obj);
+                                               }
 
 						/* Clean up class name var entry */
 						zval_ptr_dtor(&ent1->data);

Places

File php-CVE-2016-9934.patch of Package php7.3821

Places