Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
php5.3357
php-CVE-2016-7125.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2016-7125.patch of Package php5.3357
From 8763c6090d627d8bb0ee1d030c30e58f406be9ce Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev <stas@php.net> Date: Wed, 3 Aug 2016 00:30:12 -0700 Subject: [PATCH] Fix bug #72681 - consume data even if we're not storing them --- ext/session/session.c | 25 ++++++++++++++++++------- ext/session/tests/bug72681.phpt | 16 ++++++++++++++++ 2 files changed, 34 insertions(+), 7 deletions(-) create mode 100644 ext/session/tests/bug72681.phpt diff --git a/ext/session/session.c b/ext/session/session.c index c668bb7..b2d0236 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -924,11 +924,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ int namelen; int has_value; php_unserialize_data_t var_hash; + int skip = 0; PHP_VAR_UNSERIALIZE_INIT(var_hash); for (p = val; p < endptr; ) { zval **tmp; + skip = 0; namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { @@ -944,22 +946,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { - efree(name); - continue; + skip = 1; } } if (has_value) { ALLOC_INIT_ZVAL(current); if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { - php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + if (!skip) { + php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + } } else { PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return FAILURE; } var_push_dtor_no_addref(&var_hash, ¤t); } - PS_ADD_VARL(name, namelen); + if (!skip) { + PS_ADD_VARL(name, namelen); + } efree(name); } @@ -1016,6 +1021,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ int namelen; int has_value; php_unserialize_data_t var_hash; + int skip = 0; PHP_VAR_UNSERIALIZE_INIT(var_hash); @@ -1024,6 +1030,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ while (p < endptr) { zval **tmp; q = p; + skip = 0; while (*q != PS_DELIMITER) { if (++q >= endptr) goto break_outer_loop; } @@ -1040,14 +1047,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { - goto skip; + skip = 1; } } if (has_value) { ALLOC_INIT_ZVAL(current); if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { - php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + if (!skip) { + php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + } } else { var_push_dtor_no_addref(&var_hash, ¤t); efree(name); @@ -1056,7 +1065,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ } var_push_dtor_no_addref(&var_hash, ¤t); } - PS_ADD_VARL(name, namelen); + if (!skip) { + PS_ADD_VARL(name, namelen); + } skip: efree(name);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor