php: CVE-2016-9934 fix

Source: http://git.php.net/repository/php-src.git
MR: 70048
Type: Security Fix
Disposition: Backport from Backport from php-5.6.29RC1
ChangeID: ebcd0ab0790fb0c70877e12aa0a76ae478bb204f
Description:

Fixed bug #73331 - NULL Pointer Dereference in WDDX Packet Deserialization
with PDORow.

Author: Stanislav Malyshev <stas@php.net>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 182 insertions, 0 deletions

diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch
new file mode 100644
index 0000000000..d6d77c363a
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9934.patch
@@ -0,0 +1,181 @@
+commit 6045de69c7dedcba3eadf7c4bba424b19c81d00d
+Author: Stanislav Malyshev <stas@php.net>
+Date:   Sun Oct 23 20:07:47 2016 -0700
+
+    Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
+
+    Proper soltion would be to call serialize/unserialize and deal with the result,
+    but this requires more work that should be done by wddx maintainer (not me).
+
+Upstream-status: Backport
+
+CVE: CVE-2016-9934
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: php-5.6.26/ext/pdo/pdo_stmt.c
+===================================================================
+--- php-5.6.26.orig/ext/pdo/pdo_stmt.c	2016-09-16 02:32:50.000000000 +0530
++++ php-5.6.26/ext/pdo/pdo_stmt.c	2017-06-15 14:48:28.590259874 +0530
+@@ -2338,6 +2338,7 @@
+ 	pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */
+ 	pdo_row_ce->create_object = pdo_row_new;
+ 	pdo_row_ce->serialize = pdo_row_serialize;
++	pdo_row_ce->unserialize = zend_class_unserialize_deny;
+ }
+ 
+ static void free_statement(pdo_stmt_t *stmt TSRMLS_DC)
+Index: php-5.6.26/ext/wddx/tests/bug45901.phpt
+===================================================================
+--- php-5.6.26.orig/ext/wddx/tests/bug45901.phpt	2016-09-16 02:32:50.000000000 +0530
++++ php-5.6.26/ext/wddx/tests/bug45901.phpt	2017-06-15 14:48:28.590259874 +0530
+@@ -14,5 +14,6 @@
+ echo "DONE";
+ ?>
+ --EXPECTF--
+-<wddxPacket version='1.0'><header><comment>Variables</comment></header><data><struct><var name='php_class_name'><string>SimpleXMLElement</string></var><var name='test'><struct><var name='php_class_name'><string>SimpleXMLElement</string></var></struct></var></struct></data></wddxPacket>
+-DONE
+\ No newline at end of file
++Warning: wddx_serialize_value(): Class SimpleXMLElement can not be serialized in %sbug45901.php on line %d
++<wddxPacket version='1.0'><header><comment>Variables</comment></header><data></data></wddxPacket>
++DONE
+Index: php-5.6.26/ext/wddx/tests/bug73331.phpt
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ php-5.6.26/ext/wddx/tests/bug73331.phpt	2017-06-15 14:48:28.590259874 +0530
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow)
++--SKIPIF--
++<?php if (!extension_loaded("wddx") || !extension_loaded("pdo")) print "skip"; ?>
++--FILE--
++<?php
++
++$wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>PDORow</string></var></struct></data></wddxPacket
++var_dump(wddx_deserialize($wddx));
++?>
++--EXPECTF--
++
++Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d
++NULL
+Index: php-5.6.26/ext/wddx/wddx.c
+===================================================================
+--- php-5.6.26.orig/ext/wddx/wddx.c	2016-09-16 02:32:50.000000000 +0530
++++ php-5.6.26/ext/wddx/wddx.c	2017-06-15 14:48:28.590259874 +0530
+@@ -471,8 +471,18 @@
+ 	ulong idx;
+ 	char tmp_buf[WDDX_BUF_LEN];
+ 	HashTable *objhash, *sleephash;
++	zend_class_entry *ce;
++	PHP_CLASS_ATTRIBUTES;
+ 	TSRMLS_FETCH();
+ 
++	PHP_SET_CLASS_ATTRIBUTES(obj);
++	ce = Z_OBJCE_P(obj);
++	if (!ce || ce->serialize || ce->unserialize) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name);
++		PHP_CLEANUP_CLASS_ATTRIBUTES();
++		return;
++	}
++
+ 	MAKE_STD_ZVAL(fname);
+ 	ZVAL_STRING(fname, "__sleep", 1);
+ 
+@@ -482,10 +492,6 @@
+ 	 */
+ 	if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) {
+ 		if (retval && (sleephash = HASH_OF(retval))) {
+-			PHP_CLASS_ATTRIBUTES;
+-
+-			PHP_SET_CLASS_ATTRIBUTES(obj);
+-
+ 			php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
+ 			snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
+ 			php_wddx_add_chunk(packet, tmp_buf);
+@@ -494,8 +500,6 @@
+ 			php_wddx_add_chunk_static(packet, WDDX_STRING_E);
+ 			php_wddx_add_chunk_static(packet, WDDX_VAR_E);
+ 
+-			PHP_CLEANUP_CLASS_ATTRIBUTES();
+-
+ 			objhash = HASH_OF(obj);
+ 
+ 			for (zend_hash_internal_pointer_reset(sleephash);
+@@ -516,10 +520,6 @@
+ 	} else {
+ 		uint key_len;
+ 
+-		PHP_CLASS_ATTRIBUTES;
+-
+-		PHP_SET_CLASS_ATTRIBUTES(obj);
+-
+ 		php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
+ 		snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
+ 		php_wddx_add_chunk(packet, tmp_buf);
+@@ -528,8 +528,6 @@
+ 		php_wddx_add_chunk_static(packet, WDDX_STRING_E);
+ 		php_wddx_add_chunk_static(packet, WDDX_VAR_E);
+ 
+-		PHP_CLEANUP_CLASS_ATTRIBUTES();
+-
+ 		objhash = HASH_OF(obj);
+ 		for (zend_hash_internal_pointer_reset(objhash);
+ 			 zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS;
+@@ -550,6 +548,8 @@
+ 		}
+ 		php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
+ 	}
++	
++	PHP_CLEANUP_CLASS_ATTRIBUTES();
+ 
+ 	zval_dtor(fname);
+ 	FREE_ZVAL(fname);
+@@ -1012,25 +1012,30 @@
+ 							pce = &PHP_IC_ENTRY;
+ 						}
+ 
+-						/* Initialize target object */
+-						MAKE_STD_ZVAL(obj);
+-						object_init_ex(obj, *pce);
+-
+-						/* Merge current hashtable with object's default properties */
+-						zend_hash_merge(Z_OBJPROP_P(obj),
+-										Z_ARRVAL_P(ent2->data),
+-										(void (*)(void *)) zval_add_ref,
+-										(void *) &tmp, sizeof(zval *), 0);
+-
+-						if (incomplete_class) {
+-							php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
+-						}
+-
+-						/* Clean up old array entry */
+-						zval_ptr_dtor(&ent2->data);
+-
+-						/* Set stack entry to point to the newly created object */
+-						ent2->data = obj;
++						if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) {
++                                                       ent2->data = NULL;
++							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data));
++                                               } else {
++                                                       /* Initialize target object */
++                                                       MAKE_STD_ZVAL(obj);
++                                                       object_init_ex(obj, *pce);
++
++                                                       /* Merge current hashtable with object's default properties */
++                                                       zend_hash_merge(Z_OBJPROP_P(obj),
++                                                                                       Z_ARRVAL_P(ent2->data),
++                                                                                       (void (*)(void *)) zval_add_ref,
++                                                                                       (void *) &tmp, sizeof(zval *), 0);
++
++                                                       if (incomplete_class) {
++                                                               php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
++                                                       }
++
++                                                       /* Clean up old array entry */
++                                                       zval_ptr_dtor(&ent2->data);
++
++                                                       /* Set stack entry to point to the newly created object */
++                                                       ent2->data = obj;
++                                                }
+ 
+ 						/* Clean up class name var entry */
+ 						zval_ptr_dtor(&ent1->data);
diff --git a/meta-oe/recipes-devtools/php/php_5.6.26.bb b/meta-oe/recipes-devtools/php/php_5.6.26.bb
index cf104803da..073d873bd8 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.26.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.26.bb
@@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b602636d46a61c0ac0432bbf5c078fe4"
 
 SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
             file://CVE-2016-9137.patch \
+	    file://CVE-2016-9934.patch \
 "
 SRC_URI[md5sum] = "cb424b705cfb715fc04f499f8a8cf52e"
 SRC_URI[sha256sum] = "d47aab8083a4284b905777e1b45dd7735adc53be827b29f896684750ac8b6236"