php/sme8/php-5.3.3-CVE-2014-4670.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:45:09 +0800
Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)

---
 NEWS                        |  3 +++
 ext/spl/spl_dllist.c        |  7 +++++--
 ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/bug67538.phpt

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 39a0733..0b44d41 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -40,12 +40,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 
 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
                        llist->dtor(element TSRMLS_CC);
                }
 
+               if (intern->traverse_pointer == element) {
+                       SPL_LLIST_DELREF(element);
+                       intern->traverse_pointer = NULL;
+               }
+
                zval_ptr_dtor((zval **)&element->data);
                element->data = NULL;
 
diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
new file mode 100644
index 0000000..b6f3848
--- /dev/null
+++ b/ext/spl/tests/bug67538.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #67538 (SPL Iterators use-after-free)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->push('a');
+$list->push('b');
+
+$list->rewind();
+$list->offsetUnset(0);
+$list->push('b');
+$list->offsetUnset(0);
+$list->next();
+echo "okey";
+?>
+--EXPECTF--
+okey
-- 
1.9.2

1	vip-ire	1.1	Patch adapted for PHP 5.3.3
2
3			Orginal patch:
4			From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
5			From: Xinchen Hui <laruence@php.net>
6			Date: Wed, 2 Jul 2014 17:45:09 +0800
7			Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
8
9			---
10			NEWS \| 3 +++
11			ext/spl/spl_dllist.c \| 7 +++++--
12			ext/spl/tests/bug67538.phpt \| 17 +++++++++++++++++
13			3 files changed, 25 insertions(+), 2 deletions(-)
14			create mode 100644 ext/spl/tests/bug67538.phpt
15
16			diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
17			index 39a0733..0b44d41 100644
18			--- a/ext/spl/spl_dllist.c
19			+++ b/ext/spl/spl_dllist.c
20			@@ -40,12 +40,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
21
22			#define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
23			efree(elem); \
24			- elem = NULL; \
25			}
26
27			#define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
28			efree(elem); \
29			- elem = NULL; \
30			}
31
32			#define SPL_LLIST_ADDREF(elem) (elem)->rc++
33			@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
34			llist->dtor(element TSRMLS_CC);
35			}
36
37			+ if (intern->traverse_pointer == element) {
38			+ SPL_LLIST_DELREF(element);
39			+ intern->traverse_pointer = NULL;
40			+ }
41			+
42			zval_ptr_dtor((zval **)&element->data);
43			element->data = NULL;
44
45			diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
46			new file mode 100644
47			index 0000000..b6f3848
48			--- /dev/null
49			+++ b/ext/spl/tests/bug67538.phpt
50			@@ -0,0 +1,17 @@
51			+--TEST--
52			+Bug #67538 (SPL Iterators use-after-free)
53			+--FILE--
54			+<?php
55			+$list = new SplDoublyLinkedList();
56			+$list->push('a');
57			+$list->push('b');
58			+
59			+$list->rewind();
60			+$list->offsetUnset(0);
61			+$list->push('b');
62			+$list->offsetUnset(0);
63			+$list->next();
64			+echo "okey";
65			+?>
66			+--EXPECTF--
67			+okey
68			--
69			1.9.2
70