File php-CVE-2017-12934.patch of Package php7

Overview Repositories Revisions Requests Users Attributes Meta

File php-CVE-2017-12934.patch of Package php7

Index: php-7.0.7/ext/standard/var_unserializer.re
===================================================================
--- php-7.0.7.orig/ext/standard/var_unserializer.re	2017-08-29 15:23:44.627769363 +0200
+++ php-7.0.7/ext/standard/var_unserializer.re	2017-08-29 15:23:44.639769540 +0200
@@ -500,6 +500,10 @@ static inline int object_common2(UNSERIA
                && zend_hash_str_exists(&Z_OBJCE_P(rval)->function_table, "__wakeup", sizeof("__wakeup")-1);
 
 	ht = Z_OBJPROP_P(rval);
+	if (elements >= HT_MAX_SIZE - zend_hash_num_elements(ht)) {
+		return 0;
+	}
+
 	zend_hash_extend(ht, zend_hash_num_elements(ht) + elements, (ht->u.flags & HASH_FLAG_PACKED));
 	if (!process_nested_data(UNSERIALIZE_PASSTHRU, ht, elements, 1)) {
                if (has_wakeup) {
@@ -760,7 +764,7 @@ use_double:
 	*p = YYCURSOR;
     if (!var_hash) return 0;
 
-	if (elements < 0) {
+	if (elements < 0 || elements >= HT_MAX_SIZE) {
 		return 0;
 	}
 
@@ -783,7 +787,7 @@ use_double:
     if (!var_hash) return 0;
 
 	elements = object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR);
-	if (elements < 0) {
+	if (elements < 0 || elements >= HT_MAX_SIZE) {
 		return 0;
 	}
 	return object_common2(UNSERIALIZE_PASSTHRU, elements);

Places

File php-CVE-2017-12934.patch of Package php7

Places