Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12:Update
php5.10549
php-CVE-2016-9934.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2016-9934.patch of Package php5.10549
Index: php-5.6.1/ext/pdo/pdo_stmt.c =================================================================== --- php-5.6.1.orig/ext/pdo/pdo_stmt.c 2014-10-01 11:17:38.000000000 +0200 +++ php-5.6.1/ext/pdo/pdo_stmt.c 2016-12-14 12:31:02.815437269 +0100 @@ -2352,6 +2352,7 @@ void pdo_stmt_init(TSRMLS_D) pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ pdo_row_ce->create_object = pdo_row_new; pdo_row_ce->serialize = pdo_row_serialize; + pdo_row_ce->unserialize = zend_class_unserialize_deny; } static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) Index: php-5.6.1/ext/wddx/wddx.c =================================================================== --- php-5.6.1.orig/ext/wddx/wddx.c 2016-12-14 12:31:02.771436100 +0100 +++ php-5.6.1/ext/wddx/wddx.c 2016-12-14 12:39:16.440553686 +0100 @@ -471,8 +471,18 @@ static void php_wddx_serialize_object(wd ulong idx; char tmp_buf[WDDX_BUF_LEN]; HashTable *objhash, *sleephash; + zend_class_entry *ce; + PHP_CLASS_ATTRIBUTES; TSRMLS_FETCH(); + PHP_SET_CLASS_ATTRIBUTES(obj); + ce = Z_OBJCE_P(obj); + if (!ce || ce->serialize || ce->unserialize) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name); + PHP_CLEANUP_CLASS_ATTRIBUTES(); + return; + } + MAKE_STD_ZVAL(fname); ZVAL_STRING(fname, "__sleep", 1); @@ -482,10 +492,6 @@ static void php_wddx_serialize_object(wd */ if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) { if (retval && (sleephash = HASH_OF(retval))) { - PHP_CLASS_ATTRIBUTES; - - PHP_SET_CLASS_ATTRIBUTES(obj); - php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); php_wddx_add_chunk(packet, tmp_buf); @@ -494,8 +500,6 @@ static void php_wddx_serialize_object(wd php_wddx_add_chunk_static(packet, WDDX_STRING_E); php_wddx_add_chunk_static(packet, WDDX_VAR_E); - PHP_CLEANUP_CLASS_ATTRIBUTES(); - objhash = HASH_OF(obj); for (zend_hash_internal_pointer_reset(sleephash); @@ -516,10 +520,6 @@ static void php_wddx_serialize_object(wd } else { uint key_len; - PHP_CLASS_ATTRIBUTES; - - PHP_SET_CLASS_ATTRIBUTES(obj); - php_wddx_add_chunk_static(packet, WDDX_STRUCT_S); snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR); php_wddx_add_chunk(packet, tmp_buf); @@ -528,8 +528,6 @@ static void php_wddx_serialize_object(wd php_wddx_add_chunk_static(packet, WDDX_STRING_E); php_wddx_add_chunk_static(packet, WDDX_VAR_E); - PHP_CLEANUP_CLASS_ATTRIBUTES(); - objhash = HASH_OF(obj); for (zend_hash_internal_pointer_reset(objhash); zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS; @@ -551,6 +549,8 @@ static void php_wddx_serialize_object(wd php_wddx_add_chunk_static(packet, WDDX_STRUCT_E); } + PHP_CLEANUP_CLASS_ATTRIBUTES(); + zval_dtor(fname); FREE_ZVAL(fname); @@ -1010,25 +1010,30 @@ static void php_wddx_pop_element(void *u pce = &PHP_IC_ENTRY; } - /* Initialize target object */ - MAKE_STD_ZVAL(obj); - object_init_ex(obj, *pce); - - /* Merge current hashtable with object's default properties */ - zend_hash_merge(Z_OBJPROP_P(obj), - Z_ARRVAL_P(ent2->data), - (void (*)(void *)) zval_add_ref, - (void *) &tmp, sizeof(zval *), 0); - - if (incomplete_class) { - php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); - } - - /* Clean up old array entry */ - zval_ptr_dtor(&ent2->data); - - /* Set stack entry to point to the newly created object */ - ent2->data = obj; + if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) { + ent2->data = NULL; + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data)); + } else { + /* Initialize target object */ + MAKE_STD_ZVAL(obj); + object_init_ex(obj, *pce); + + /* Merge current hashtable with object's default properties */ + zend_hash_merge(Z_OBJPROP_P(obj), + Z_ARRVAL_P(ent2->data), + (void (*)(void *)) zval_add_ref, + (void *) &tmp, sizeof(zval *), 0); + + if (incomplete_class) { + php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); + } + + /* Clean up old array entry */ + zval_ptr_dtor(&ent2->data); + + /* Set stack entry to point to the newly created object */ + ent2->data = obj; + } /* Clean up class name var entry */ zval_ptr_dtor(&ent1->data);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
