Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4:
  Fix bug #69248 - heap overflow vulnerability in regcomp.c
  add test for bug #68976
This commit is contained in:
Stanislav Malyshev 2015-03-17 17:07:38 -07:00
commit bf2f03ddb3
3 changed files with 49 additions and 1 deletions

3
NEWS
View File

@ -21,6 +21,9 @@ PHP NEWS
. Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows
builds). (Anatol) builds). (Anatol)
- Ereg:
. Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (Stas)
- Filter: - Filter:
. Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other . Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other
flags are used). (Jeff Welch) flags are used). (Jeff Welch)

View File

@ -117,7 +117,15 @@ int cflags;
(NC-1)*sizeof(cat_t)); (NC-1)*sizeof(cat_t));
if (g == NULL) if (g == NULL)
return(REG_ESPACE); return(REG_ESPACE);
p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ {
/* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */
size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) {
free((char *) g);
return REG_INVARG;
}
p->ssize = new_ssize;
}
p->strip = (sop *)malloc(p->ssize * sizeof(sop)); p->strip = (sop *)malloc(p->ssize * sizeof(sop));
p->slen = 0; p->slen = 0;
if (p->strip == NULL) { if (p->strip == NULL) {

View File

@ -0,0 +1,37 @@
--TEST--
Bug #68976 Use After Free Vulnerability in unserialize()
--FILE--
<?php
class evilClass {
public $name;
function __wakeup() {
unset($this->name);
}
}
$fakezval = pack(
'IIII',
0x00100000,
0x00000400,
0x00000000,
0x00000006
);
$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
for($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($data);
?>
===DONE===
--EXPECTF--
array(2) {
[0]=>
object(evilClass)#1 (0) {
}
[1]=>
int(1)
}
===DONE===