php/sme8/php-5.3.3-CVE-2014-4698.patch

Patch adapted for PHP 5.3.3

Orginal patch:
From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Wed, 2 Jul 2014 17:57:42 +0800
Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
 change during sorting)

---
 NEWS                        |  2 ++
 ext/spl/spl_array.c         |  7 +++++++
 ext/spl/tests/bug67539.phpt | 15 +++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 ext/spl/tests/bug67539.phpt

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 8392e72..0fe47b6 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1661,8 +1661,15 @@
 {
        const unsigned char *p, *s;
        zval *pmembers, *pflags = NULL;
+       HashTable *aht;
        long flags;
 
+       aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+       if (aht->nApplyCount > 0) {
+               zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+               return;
+       }
+
        /* storage */
        s = p = buf;
 
diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
new file mode 100644
index 0000000..8bab2a8
--- /dev/null
+++ b/ext/spl/tests/bug67539.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
+--FILE--
+<?php
+
+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
+
+function badsort($a, $b) {
+        $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
+        return TRUE;
+}
+
+$it->uksort('badsort');
+--EXPECTF--
+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
-- 
1.9.2

1	Patch adapted for PHP 5.3.3
2
3	Orginal patch:
4	From 22882a9d89712ff2b6ebc20a689a89452bba4dcd Mon Sep 17 00:00:00 2001
5	From: Xinchen Hui <laruence@php.net>
6	Date: Wed, 2 Jul 2014 17:57:42 +0800
7	Subject: [PATCH] Fixed bug #67539 (ArrayIterator use-after-free due to object
8	change during sorting)
9
10	---
11	NEWS \| 2 ++
12	ext/spl/spl_array.c \| 7 +++++++
13	ext/spl/tests/bug67539.phpt \| 15 +++++++++++++++
14	3 files changed, 24 insertions(+)
15	create mode 100644 ext/spl/tests/bug67539.phpt
16
17	diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
18	index 8392e72..0fe47b6 100644
19	--- a/ext/spl/spl_array.c
20	+++ b/ext/spl/spl_array.c
21	@@ -1661,8 +1661,15 @@
22	{
23	const unsigned char p, s;
24	zval pmembers, pflags = NULL;
25	+ HashTable *aht;
26	long flags;
27
28	+ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
29	+ if (aht->nApplyCount > 0) {
30	+ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
31	+ return;
32	+ }
33	+
34	/* storage */
35	s = p = buf;
36
37	diff --git a/ext/spl/tests/bug67539.phpt b/ext/spl/tests/bug67539.phpt
38	new file mode 100644
39	index 0000000..8bab2a8
40	--- /dev/null
41	+++ b/ext/spl/tests/bug67539.phpt
42	@@ -0,0 +1,15 @@
43	+--TEST--
44	+Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
45	+--FILE--
46	+<?php
47	+
48	+$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
49	+
50	+function badsort($a, $b) {
51	+ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
52	+ return TRUE;
53	+}
54	+
55	+$it->uksort('badsort');
56	+--EXPECTF--
57	+Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d
58	--
59	1.9.2
60