php/sme8/php-5.3.3-CVE-2014-4698.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:57:42 +0800
Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
 change during sorting)

---
 NEWS                        |  2 ++
 ext/spl/spl_array.c         |  7 +++++++
 ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 ext/spl/tests/bug67539.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 8392e72..0fe47b6 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1661,8 +1661,15 @@
 {
        const unsigned char *p, *s;
        zval *pmembers, *pflags = NULL;
+       HashTable *aht;
        long flags;
 
+       aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+       if (aht->nApplyCount > 0) {
+               zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+               return;
+       }
+
        /* storage */
        s = p = buf;
 
diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
new file mode 100644
index 0000000..8bab2a8
--- /dev/null
+++ b/ext/spl/tests/bug67539.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
+--FILE--
+<?php
+
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
+
+function badsort($a, $b) {
+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
+        return TRUE;
+}
+
+$it->uksort('badsort');
+--EXPECTF--
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
-- 
1.9.2

1	vip-ire	1.1	Patch adapted for PHP 5.3.3
2
3			Orginal patch:
4			From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
5			From: Xinchen Hui <laruence@php.net>
6			Date: Wed, 2 Jul 2014 17:57:42 +0800
7			Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
8			change during sorting)
9
10			---
11			NEWS \| 2 ++
12			ext/spl/spl_array.c \| 7 +++++++
13			ext/spl/tests/bug67539.phpt \| 15 +++++++++++++++
14			3 files changed, 24 insertions(+)
15			create mode 100644 ext/spl/tests/bug67539.phpt
16
17			diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
18			index 8392e72..0fe47b6 100644
19			--- a/ext/spl/spl_array.c
20			+++ b/ext/spl/spl_array.c
21			@@ -1661,8 +1661,15 @@
22			{
23			const unsigned char p, s;
24			zval pmembers, pflags = NULL;
25			+ HashTable *aht;
26			long flags;
27
28			+ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
29			+ if (aht->nApplyCount > 0) {
30			+ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
31			+ return;
32			+ }
33			+
34			/* storage */
35			s = p = buf;
36
37			diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
38			new file mode 100644
39			index 0000000..8bab2a8
40			--- /dev/null
41			+++ b/ext/spl/tests/bug67539.phpt
42			@@ -0,0 +1,15 @@
43			+--TEST--
44			+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
45			+--FILE--
46			+<?php
47			+
48			+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
49			+
50			+function badsort($a, $b) {
51			+ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
52			+ return TRUE;
53			+}
54			+
55			+$it->uksort('badsort');
56			+--EXPECTF--
57			+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
58			--
59			1.9.2
60