mirror of
https://github.com/php/php-src.git
synced 2024-11-28 20:34:29 +08:00
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4: Fix bug #69248 - heap overflow vulnerability in regcomp.c add test for bug #68976
This commit is contained in:
commit
bf2f03ddb3
3
NEWS
3
NEWS
@ -21,6 +21,9 @@ PHP NEWS
|
|||||||
. Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows
|
. Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows
|
||||||
builds). (Anatol)
|
builds). (Anatol)
|
||||||
|
|
||||||
|
- Ereg:
|
||||||
|
. Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (Stas)
|
||||||
|
|
||||||
- Filter:
|
- Filter:
|
||||||
. Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other
|
. Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other
|
||||||
flags are used). (Jeff Welch)
|
flags are used). (Jeff Welch)
|
||||||
|
@ -117,7 +117,15 @@ int cflags;
|
|||||||
(NC-1)*sizeof(cat_t));
|
(NC-1)*sizeof(cat_t));
|
||||||
if (g == NULL)
|
if (g == NULL)
|
||||||
return(REG_ESPACE);
|
return(REG_ESPACE);
|
||||||
p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
|
{
|
||||||
|
/* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */
|
||||||
|
size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
|
||||||
|
if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) {
|
||||||
|
free((char *) g);
|
||||||
|
return REG_INVARG;
|
||||||
|
}
|
||||||
|
p->ssize = new_ssize;
|
||||||
|
}
|
||||||
p->strip = (sop *)malloc(p->ssize * sizeof(sop));
|
p->strip = (sop *)malloc(p->ssize * sizeof(sop));
|
||||||
p->slen = 0;
|
p->slen = 0;
|
||||||
if (p->strip == NULL) {
|
if (p->strip == NULL) {
|
||||||
|
37
ext/standard/tests/serialize/bug68976.phpt
Normal file
37
ext/standard/tests/serialize/bug68976.phpt
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
--TEST--
|
||||||
|
Bug #68976 Use After Free Vulnerability in unserialize()
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
class evilClass {
|
||||||
|
public $name;
|
||||||
|
function __wakeup() {
|
||||||
|
unset($this->name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$fakezval = pack(
|
||||||
|
'IIII',
|
||||||
|
0x00100000,
|
||||||
|
0x00000400,
|
||||||
|
0x00000000,
|
||||||
|
0x00000006
|
||||||
|
);
|
||||||
|
|
||||||
|
$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
|
||||||
|
|
||||||
|
for($i = 0; $i < 5; $i++) {
|
||||||
|
$v[$i] = $fakezval.$i;
|
||||||
|
}
|
||||||
|
|
||||||
|
var_dump($data);
|
||||||
|
?>
|
||||||
|
===DONE===
|
||||||
|
--EXPECTF--
|
||||||
|
array(2) {
|
||||||
|
[0]=>
|
||||||
|
object(evilClass)#1 (0) {
|
||||||
|
}
|
||||||
|
[1]=>
|
||||||
|
int(1)
|
||||||
|
}
|
||||||
|
===DONE===
|
Loading…
Reference in New Issue
Block a user