diff options
Diffstat (limited to 'main/php/CVE-2010-2225.patch')
-rw-r--r-- | main/php/CVE-2010-2225.patch | 194 |
1 files changed, 194 insertions, 0 deletions
diff --git a/main/php/CVE-2010-2225.patch b/main/php/CVE-2010-2225.patch new file mode 100644 index 0000000000..08c71f26b0 --- /dev/null +++ b/main/php/CVE-2010-2225.patch @@ -0,0 +1,194 @@ +Index: ext/spl/tests/SplObjectStorage_unserialize_nested.phpt +=================================================================== +--- ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 0) ++++ ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 300843) +@@ -0,0 +1,47 @@ ++--TEST-- ++SPL: Test unserializing tested & linked storage ++--FILE-- ++<?php ++$o = new StdClass(); ++$a = new StdClass(); ++ ++$o->a = $a; ++ ++$so = new SplObjectStorage(); ++ ++$so[$o] = 1; ++$so[$a] = 2; ++ ++$s = serialize($so); ++echo $s."\n"; ++ ++$so1 = unserialize($s); ++var_dump($so1); ++ ++--EXPECTF-- ++C:16:"SplObjectStorage":76:{x:i:2;O:8:"stdClass":1:{s:1:"a";O:8:"stdClass":0:{}},i:1;;r:2;,i:2;;m:a:0:{}} ++object(SplObjectStorage)#4 (1) { ++ ["storage":"SplObjectStorage":private]=> ++ array(2) { ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#5 (1) { ++ ["a"]=> ++ object(stdClass)#6 (0) { ++ } ++ } ++ ["inf"]=> ++ int(1) ++ } ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#6 (0) { ++ } ++ ["inf"]=> ++ int(2) ++ } ++ } ++} ++ +Index: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +=================================================================== +--- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 0) ++++ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 300843) +@@ -0,0 +1,45 @@ ++--TEST-- ++SPL: Test that serialized blob contains unique elements (CVE-2010-2225) ++--FILE-- ++<?php ++ ++$badblobs = array( ++'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', ++'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', ++); ++foreach($badblobs as $blob) { ++try { ++ $so = new SplObjectStorage(); ++ $so->unserialize($blob); ++ var_dump($so); ++} catch(UnexpectedValueException $e) { ++ echo $e->getMessage()."\n"; ++} ++} ++--EXPECTF-- ++Error at offset 6 of 34 bytes ++Error at offset 46 of 89 bytes ++object(SplObjectStorage)#2 (1) { ++ ["storage":"SplObjectStorage":private]=> ++ array(2) { ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#3 (0) { ++ } ++ ["inf"]=> ++ int(1) ++ } ++ ["%s"]=> ++ array(2) { ++ ["obj"]=> ++ object(stdClass)#1 (0) { ++ } ++ ["inf"]=> ++ object(stdClass)#4 (0) { ++ } ++ } ++ } ++} ++ +Index: ext/spl/spl_observer.c +=================================================================== +--- ext/spl/spl_observer.c (revision 300842) ++++ ext/spl/spl_observer.c (revision 300843) +@@ -115,6 +115,7 @@ + zval_ptr_dtor(&element->inf); + } /* }}} */ + ++ + spl_SplObjectStorageElement* spl_object_storage_get(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */ + { + spl_SplObjectStorageElement *element; +@@ -632,15 +633,24 @@ + zval_ptr_dtor(&pcount); + + while(count-- > 0) { ++ spl_SplObjectStorageElement *pelement; ++ + if (*p != ';') { + goto outexcept; + } + ++p; ++ if(*p != 'O' && *p != 'C' && *p != 'r') { ++ goto outexcept; ++ } + ALLOC_INIT_ZVAL(pentry); + if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) { + zval_ptr_dtor(&pentry); + goto outexcept; + } ++ if(Z_TYPE_P(pentry) != IS_OBJECT) { ++ zval_ptr_dtor(&pentry); ++ goto outexcept; ++ } + ALLOC_INIT_ZVAL(pinf); + if (*p == ',') { /* new version has inf */ + ++p; +@@ -649,6 +659,16 @@ + goto outexcept; + } + } ++ ++ pelement = spl_object_storage_get(intern, pentry TSRMLS_CC); ++ if(pelement) { ++ if(pelement->inf) { ++ var_push_dtor(&var_hash, &pelement->inf); ++ } ++ if(pelement->obj) { ++ var_push_dtor(&var_hash, &pelement->obj); ++ } ++ } + spl_object_storage_attach(intern, pentry, pinf TSRMLS_CC); + zval_ptr_dtor(&pentry); + zval_ptr_dtor(&pinf); +Index: ext/standard/var_unserializer.c +=================================================================== +--- ext/standard/var_unserializer.c (revision 300842) ++++ ext/standard/var_unserializer.c (revision 300843) +@@ -56,7 +56,7 @@ + var_hash->data[var_hash->used_slots++] = *rval; + } + +-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) ++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) + { + var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; + +Index: ext/standard/php_var.h +=================================================================== +--- ext/standard/php_var.h (revision 300842) ++++ ext/standard/php_var.h (revision 300843) +@@ -60,6 +60,7 @@ + var_destroy(&(var_hash)) + + PHPAPI void var_replace(php_unserialize_data_t *var_hash, zval *ozval, zval **nzval); ++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hash, zval **val); + PHPAPI void var_destroy(php_unserialize_data_t *var_hash); + + #define PHP_VAR_UNSERIALIZE_ZVAL_CHANGED(var_hash, ozval, nzval) \ +Index: ext/standard/var_unserializer.re +=================================================================== +--- ext/standard/var_unserializer.re (revision 300842) ++++ ext/standard/var_unserializer.re (revision 300843) +@@ -54,7 +54,7 @@ + var_hash->data[var_hash->used_slots++] = *rval; + } + +-static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) ++PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) + { + var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; + |