php/sme8/php-5.3.3-CVE-2014-4670.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:45:09 +0800
Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)

---
 NEWS                        |  3 +++
 ext/spl/spl_dllist.c        |  7 +++++--
 ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/bug67538.phpt

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index 39a0733..0b44d41 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -40,12 +40,10 @@ PHPAPI zend_class_entry  *spl_ce_SplStack;
 
 #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
        efree(elem); \
-       elem = NULL; \
 }
 
 #define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
                        llist->dtor(element TSRMLS_CC);
                }
 
+               if (intern->traverse_pointer == element) {
+                       SPL_LLIST_DELREF(element);
+                       intern->traverse_pointer = NULL;
+               }
+
                zval_ptr_dtor((zval **)&element->data);
                element->data = NULL;
 
diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
new file mode 100644
index 0000000..b6f3848
--- /dev/null
+++ b/ext/spl/tests/bug67538.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #67538 (SPL Iterators use-after-free)
+--FILE--
+<?php
+$list = new SplDoublyLinkedList();
+$list->push('a');
+$list->push('b');
+
+$list->rewind();
+$list->offsetUnset(0);
+$list->push('b');
+$list->offsetUnset(0);
+$list->next();
+echo "okey";
+?>
+--EXPECTF--
+okey
-- 
1.9.2

1	Patch adapted for PHP 5.3.3
2
3	Orginal patch:
4	From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
5	From: Xinchen Hui <laruence@php.net>
6	Date: Wed, 2 Jul 2014 17:45:09 +0800
7	Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
8
9	---
10	NEWS \| 3 +++
11	ext/spl/spl_dllist.c \| 7 +++++--
12	ext/spl/tests/bug67538.phpt \| 17 +++++++++++++++++
13	3 files changed, 25 insertions(+), 2 deletions(-)
14	create mode 100644 ext/spl/tests/bug67538.phpt
15
16	diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
17	index 39a0733..0b44d41 100644
18	--- a/ext/spl/spl_dllist.c
19	+++ b/ext/spl/spl_dllist.c
20	@@ -40,12 +40,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
21
22	#define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
23	efree(elem); \
24	- elem = NULL; \
25	}
26
27	#define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
28	efree(elem); \
29	- elem = NULL; \
30	}
31
32	#define SPL_LLIST_ADDREF(elem) (elem)->rc++
33	@@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
34	llist->dtor(element TSRMLS_CC);
35	}
36
37	+ if (intern->traverse_pointer == element) {
38	+ SPL_LLIST_DELREF(element);
39	+ intern->traverse_pointer = NULL;
40	+ }
41	+
42	zval_ptr_dtor((zval **)&element->data);
43	element->data = NULL;
44
45	diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
46	new file mode 100644
47	index 0000000..b6f3848
48	--- /dev/null
49	+++ b/ext/spl/tests/bug67538.phpt
50	@@ -0,0 +1,17 @@
51	+--TEST--
52	+Bug #67538 (SPL Iterators use-after-free)
53	+--FILE--
54	+<?php
55	+$list = new SplDoublyLinkedList();
56	+$list->push('a');
57	+$list->push('b');
58	+
59	+$list->rewind();
60	+$list->offsetUnset(0);
61	+$list->push('b');
62	+$list->offsetUnset(0);
63	+$list->next();
64	+echo "okey";
65	+?>
66	+--EXPECTF--
67	+okey
68	--
69	1.9.2
70