diff options
Diffstat (limited to 'main/php/CVE-2010-2225.patch')
| -rw-r--r-- | main/php/CVE-2010-2225.patch | 194 |
1 files changed, 0 insertions, 194 deletions
diff --git a/main/php/CVE-2010-2225.patch b/main/php/CVE-2010-2225.patch deleted file mode 100644 index 08c71f26b0..0000000000 --- a/main/php/CVE-2010-2225.patch +++ /dev/null @@ -1,194 +0,0 @@ -Index: ext/spl/tests/SplObjectStorage_unserialize_nested.phpt -=================================================================== ---- ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 0) -+++ ext/spl/tests/SplObjectStorage_unserialize_nested.phpt (revision 300843) -@@ -0,0 +1,47 @@ -+--TEST-- -+SPL: Test unserializing tested & linked storage -+--FILE-- -+<?php -+$o = new StdClass(); -+$a = new StdClass(); -+ -+$o->a = $a; -+ -+$so = new SplObjectStorage(); -+ -+$so[$o] = 1; -+$so[$a] = 2; -+ -+$s = serialize($so); -+echo $s."\n"; -+ -+$so1 = unserialize($s); -+var_dump($so1); -+ -+--EXPECTF-- -+C:16:"SplObjectStorage":76:{x:i:2;O:8:"stdClass":1:{s:1:"a";O:8:"stdClass":0:{}},i:1;;r:2;,i:2;;m:a:0:{}} -+object(SplObjectStorage)#4 (1) { -+ ["storage":"SplObjectStorage":private]=> -+ array(2) { -+ ["%s"]=> -+ array(2) { -+ ["obj"]=> -+ object(stdClass)#5 (1) { -+ ["a"]=> -+ object(stdClass)#6 (0) { -+ } -+ } -+ ["inf"]=> -+ int(1) -+ } -+ ["%s"]=> -+ array(2) { -+ ["obj"]=> -+ object(stdClass)#6 (0) { -+ } -+ ["inf"]=> -+ int(2) -+ } -+ } -+} -+ -Index: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt -=================================================================== ---- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 0) -+++ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt (revision 300843) -@@ -0,0 +1,45 @@ -+--TEST-- -+SPL: Test that serialized blob contains unique elements (CVE-2010-2225) -+--FILE-- -+<?php -+ -+$badblobs = array( -+'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', -+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -+'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -+); -+foreach($badblobs as $blob) { -+try { -+ $so = new SplObjectStorage(); -+ $so->unserialize($blob); -+ var_dump($so); -+} catch(UnexpectedValueException $e) { -+ echo $e->getMessage()."\n"; -+} -+} -+--EXPECTF-- -+Error at offset 6 of 34 bytes -+Error at offset 46 of 89 bytes -+object(SplObjectStorage)#2 (1) { -+ ["storage":"SplObjectStorage":private]=> -+ array(2) { -+ ["%s"]=> -+ array(2) { -+ ["obj"]=> -+ object(stdClass)#3 (0) { -+ } -+ ["inf"]=> -+ int(1) -+ } -+ ["%s"]=> -+ array(2) { -+ ["obj"]=> -+ object(stdClass)#1 (0) { -+ } -+ ["inf"]=> -+ object(stdClass)#4 (0) { -+ } -+ } -+ } -+} -+ -Index: ext/spl/spl_observer.c -=================================================================== ---- ext/spl/spl_observer.c (revision 300842) -+++ ext/spl/spl_observer.c (revision 300843) -@@ -115,6 +115,7 @@ - zval_ptr_dtor(&element->inf); - } /* }}} */ - -+ - spl_SplObjectStorageElement* spl_object_storage_get(spl_SplObjectStorage *intern, zval *obj TSRMLS_DC) /* {{{ */ - { - spl_SplObjectStorageElement *element; -@@ -632,15 +633,24 @@ - zval_ptr_dtor(&pcount); - - while(count-- > 0) { -+ spl_SplObjectStorageElement *pelement; -+ - if (*p != ';') { - goto outexcept; - } - ++p; -+ if(*p != 'O' && *p != 'C' && *p != 'r') { -+ goto outexcept; -+ } - ALLOC_INIT_ZVAL(pentry); - if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) { - zval_ptr_dtor(&pentry); - goto outexcept; - } -+ if(Z_TYPE_P(pentry) != IS_OBJECT) { -+ zval_ptr_dtor(&pentry); -+ goto outexcept; -+ } - ALLOC_INIT_ZVAL(pinf); - if (*p == ',') { /* new version has inf */ - ++p; -@@ -649,6 +659,16 @@ - goto outexcept; - } - } -+ -+ pelement = spl_object_storage_get(intern, pentry TSRMLS_CC); -+ if(pelement) { -+ if(pelement->inf) { -+ var_push_dtor(&var_hash, &pelement->inf); -+ } -+ if(pelement->obj) { -+ var_push_dtor(&var_hash, &pelement->obj); -+ } -+ } - spl_object_storage_attach(intern, pentry, pinf TSRMLS_CC); - zval_ptr_dtor(&pentry); - zval_ptr_dtor(&pinf); -Index: ext/standard/var_unserializer.c -=================================================================== ---- ext/standard/var_unserializer.c (revision 300842) -+++ ext/standard/var_unserializer.c (revision 300843) -@@ -56,7 +56,7 @@ - var_hash->data[var_hash->used_slots++] = *rval; - } - --static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) -+PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) - { - var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; - -Index: ext/standard/php_var.h -=================================================================== ---- ext/standard/php_var.h (revision 300842) -+++ ext/standard/php_var.h (revision 300843) -@@ -60,6 +60,7 @@ - var_destroy(&(var_hash)) - - PHPAPI void var_replace(php_unserialize_data_t *var_hash, zval *ozval, zval **nzval); -+PHPAPI void var_push_dtor(php_unserialize_data_t *var_hash, zval **val); - PHPAPI void var_destroy(php_unserialize_data_t *var_hash); - - #define PHP_VAR_UNSERIALIZE_ZVAL_CHANGED(var_hash, ozval, nzval) \ -Index: ext/standard/var_unserializer.re -=================================================================== ---- ext/standard/var_unserializer.re (revision 300842) -+++ ext/standard/var_unserializer.re (revision 300843) -@@ -54,7 +54,7 @@ - var_hash->data[var_hash->used_slots++] = *rval; - } - --static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) -+PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) - { - var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; - |