php: CVE-2016-9935 fix

Source: http://git.php.net/repository/php-src.git
MR: 70057
Type: Security Fix
Disposition: Backport from php-5.6.30-RC1
ChangeID: e1e263d511f28c9d986f1adb193b0c5eb4c0cceb
Description:

Fixed the Memory leak due to invalid wddx stack processing.

Author: Stanislav Malyshev <stas@php.net>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 53 insertions, 0 deletions

diff --git a/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9935.patch b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9935.patch
new file mode 100644
index 0000000000..109abb7136
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.26/CVE-2016-9935.patch
@@ -0,0 +1,52 @@
+commit 266ecb6d0a1ab5a37b4d652ca774a8adc4b06578
+Author: Stanislav Malyshev <stas@php.net>
+Date:   Mon Dec 5 21:40:55 2016 -0800
+
+    Fix bug #73631 - Invalid read when wddx decodes empty boolean element
+
+Upstream-status: Backport
+
+CVE: CVE-2016-9935
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: php-5.6.26/ext/wddx/tests/bug73631.phpt
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ php-5.6.26/ext/wddx/tests/bug73631.phpt	2017-06-15 15:31:17.362351353 +0530
+@@ -0,0 +1,20 @@
++--TEST--
++Bug #73631 (Memory leak due to invalid wddx stack processing)
++--SKIPIF--
++<?php if (!extension_loaded("wddx")) print "skip"; ?>
++--FILE--
++<?php
++$xml = <<<EOF
++<?xml version="1.0" ?>
++<wddxPacket version="1.0">
++<number>1234</number>
++<binary><boolean/></binary>
++</wddxPacket>
++EOF;
++$wddx = wddx_deserialize($xml);
++var_dump($wddx);
++?>
++--EXPECTF--
++int(1234)
++
++
+Index: php-5.6.26/ext/wddx/wddx.c
+===================================================================
+--- php-5.6.26.orig/ext/wddx/wddx.c	2017-06-15 15:31:17.306351351 +0530
++++ php-5.6.26/ext/wddx/wddx.c	2017-06-15 15:31:17.362351353 +0530
+@@ -812,6 +812,11 @@
+ 				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
+ 				break;
+ 			}
++               } else {
++                       ent.type = ST_BOOLEAN;
++                       SET_STACK_VARNAME;
++                       ZVAL_FALSE(&ent.data);
++                       wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
+ 		}
+ 	} else if (!strcmp(name, EL_NULL)) {
+ 		ent.type = ST_NULL;
diff --git a/meta-oe/recipes-devtools/php/php_5.6.26.bb b/meta-oe/recipes-devtools/php/php_5.6.26.bb
index 073d873bd8..741c825b94 100644
--- a/meta-oe/recipes-devtools/php/php_5.6.26.bb
+++ b/meta-oe/recipes-devtools/php/php_5.6.26.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b602636d46a61c0ac0432bbf5c078fe4"
 SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
             file://CVE-2016-9137.patch \
 	    file://CVE-2016-9934.patch \
+	    file://CVE-2016-9935.patch \
 "
 SRC_URI[md5sum] = "cb424b705cfb715fc04f499f8a8cf52e"
 SRC_URI[sha256sum] = "d47aab8083a4284b905777e1b45dd7735adc53be827b29f896684750ac8b6236"