Fix from PHP community for CVE-2014-8142

Bug:

Code:

This patch is for a newer version of php so this hand crafted equivalent

was created for php 5.3.

--- php-5.3.29/ext/standard/var_unserializer.re_orig 2014-08-13 12:22:50.000000000 -0700

+++ php-5.3.29/ext/standard/var_unserializer.re 2015-02-05 14:51:58.796366953 -0800

@@ -304,6 +304,9 @@

} else {

/* object properties should include no integers */

convert_to_string(key);

+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {

+ var_push_dtor(var_hash, old_data);

+ }

zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,

sizeof data, NULL);

}

--- php-5.3.29/ext/standard/var_unserializer.c_orig 2014-08-13 12:27:30.000000000 -0700

+++ php-5.3.29/ext/standard/var_unserializer.c 2015-02-05 15:20:42.925115687 -0800

@@ -298,6 +298,9 @@

} else {

/* object properties should include no integers */

convert_to_string(key);

+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {

+ var_push_dtor(var_hash, old_data);

+ }

zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,

sizeof data, NULL);

}

--- php-5.3.29/ext/standard/tests/serialize/bug68594.phpt_orig 2015-02-05 14:59:34.551069069 -0800

+++ php-5.3.29/ext/standard/tests/serialize/bug68594.phpt 2015-02-05 14:54:28.269051205 -0800

@@ -0,0 +1,23 @@

+--TEST--

+Bug #68545 Use after free vulnerability in unserialize()

+--FILE--

+<?php

+for ($i=4; $i<100; $i++) {

+ $m = new StdClass();

+

+ $u = array(1);

+

+ $m->aaa = array(1,2,&$u,4,5);

+ $m->bbb = 1;

+ $m->ccc = &$u;

+ $m->ddd = str_repeat("A", $i);

+

+ $z = serialize($m);

+ $z = str_replace("bbb", "aaa", $z);

+ $y = unserialize($z);

+ $z = serialize($y);

+}

+?>

+===DONE===

+--EXPECTF--

+===DONE===