From 08069d1e5b43644dc9cac9bd4d645304320cc0d0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 6 Jan 2016 17:23:22 +0100 Subject: PHP 5.4.45 with security patches from 5.5.31 --- bug70741.patch | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 bug70741.patch (limited to 'bug70741.patch') diff --git a/bug70741.patch b/bug70741.patch new file mode 100644 index 0000000..1704bfb --- /dev/null +++ b/bug70741.patch @@ -0,0 +1,64 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 1785d2b805f64eaaacf98c14c9e13107bf085ab1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 28 Dec 2015 12:42:44 -0800 +Subject: [PATCH] Fixed bug #70741: Session WDDX Packet Deserialization Type + Confusion Vulnerability + +--- + NEWS | 4 ++ + ext/wddx/tests/bug70741.phpt | 26 ++++++++ + ext/wddx/wddx.c | 139 ++++++++++++++++++++++--------------------- + 3 files changed, 101 insertions(+), 68 deletions(-) + create mode 100644 ext/wddx/tests/bug70741.phpt + +diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt +new file mode 100644 +index 0000000..9c7e09b +--- /dev/null ++++ b/ext/wddx/tests/bug70741.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability) ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++
++ ++ $hashtable ++ ++"; ++session_decode($wddx); ++?> ++DONE ++--EXPECTF-- ++ ++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 45beaece..8017620 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx) + MAKE_STD_ZVAL(retval); + + if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) { +- ++ if (Z_TYPE_P(retval) != IS_ARRAY) { ++ zval_ptr_dtor(&retval); ++ return FAILURE; ++ } + for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval)); + zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS; + zend_hash_move_forward(Z_ARRVAL_P(retval))) { -- cgit