/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-4670.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-4670.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sat Oct 18 10:16:16 2014 UTC (10 years ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Sat Oct 18 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-16.sme
- Resync with upstream php53, which include (see [SME: 8574])
- spl: fix use-after-free in ArrayIterator due to object
  change during sorting. CVE-2014-4698
- spl: fix use-after-free in SPL Iterators. CVE-2014-4670
- gd: fix NULL pointer dereference in gdImageCreateFromXpm.
  CVE-2014-2497
- fileinfo: fix incomplete fix for CVE-2012-1571 in
  cdf_read_property_info. CVE-2014-3587
- core: fix incomplete fix for CVE-2014-4049 DNS TXT
  record parsing. CVE-2014-3597

1 vip-ire 1.1 Patch adapted for PHP 5.3.3
2    
3     Orginal patch:
4     From df78c48354f376cf419d7a97f88ca07d572f00fb Mon Sep 17 00:00:00 2001
5     From: Xinchen Hui <laruence@php.net>
6     Date: Wed, 2 Jul 2014 17:45:09 +0800
7     Subject: [PATCH] Fixed Bug #67538 (SPL Iterators use-after-free)
8    
9     ---
10     NEWS | 3 +++
11     ext/spl/spl_dllist.c | 7 +++++--
12     ext/spl/tests/bug67538.phpt | 17 +++++++++++++++++
13     3 files changed, 25 insertions(+), 2 deletions(-)
14     create mode 100644 ext/spl/tests/bug67538.phpt
15    
16     diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
17     index 39a0733..0b44d41 100644
18     --- a/ext/spl/spl_dllist.c
19     +++ b/ext/spl/spl_dllist.c
20     @@ -40,12 +40,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
21    
22     #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
23     efree(elem); \
24     - elem = NULL; \
25     }
26    
27     #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
28     efree(elem); \
29     - elem = NULL; \
30     }
31    
32     #define SPL_LLIST_ADDREF(elem) (elem)->rc++
33     @@ -911,6 +909,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
34     llist->dtor(element TSRMLS_CC);
35     }
36    
37     + if (intern->traverse_pointer == element) {
38     + SPL_LLIST_DELREF(element);
39     + intern->traverse_pointer = NULL;
40     + }
41     +
42     zval_ptr_dtor((zval **)&element->data);
43     element->data = NULL;
44    
45     diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
46     new file mode 100644
47     index 0000000..b6f3848
48     --- /dev/null
49     +++ b/ext/spl/tests/bug67538.phpt
50     @@ -0,0 +1,17 @@
51     +--TEST--
52     +Bug #67538 (SPL Iterators use-after-free)
53     +--FILE--
54     +<?php
55     +$list = new SplDoublyLinkedList();
56     +$list->push('a');
57     +$list->push('b');
58     +
59     +$list->rewind();
60     +$list->offsetUnset(0);
61     +$list->push('b');
62     +$list->offsetUnset(0);
63     +$list->next();
64     +echo "okey";
65     +?>
66     +--EXPECTF--
67     +okey
68     --
69     1.9.2
70    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed