CVE-2014-8142 backport applied to php-5.3.29.tar.bz2 tarball from php.net

CVE-2015-0231.patch

diff -urN php-5.3.29.cve-2014-8142/ext/standard/tests/strings/bug68710.phpt php-5.3.29/ext/standard/tests/strings/bug68710.phpt
--- php-5.3.29.cve-2014-8142/ext/standard/tests/strings/bug68710.phpt	1970-01-01 00:00:00.000000000 +0000
+++ php-5.3.29/ext/standard/tests/strings/bug68710.phpt	2015-04-02 22:49:47.182599589 +0000
@@ -0,0 +1,25 @@
+--TEST--
+Bug #68710 Use after free vulnerability in unserialize() (bypassing the
+CVE-2014-8142 fix)
+--FILE--
+<?php
+for ($i=4; $i<100; $i++) {
+    $m = new StdClass();
+
+    $u = array(1);
+
+    $m->aaa = array(1,2,&$u,4,5);
+    $m->bbb = 1;
+    $m->ccc = &$u;
+    $m->ddd = str_repeat("A", $i);
+
+    $z = serialize($m);
+    $z = str_replace("aaa", "123", $z);
+    $z = str_replace("bbb", "123", $z);
+    $y = unserialize($z);
+    $z = serialize($y);
+}
+?>
+===DONE===
+--EXPECTF--
+===DONE===
diff -urN php-5.3.29.cve-2014-8142/ext/standard/var_unserializer.c php-5.3.29/ext/standard/var_unserializer.c
--- php-5.3.29.cve-2014-8142/ext/standard/var_unserializer.c	2015-04-02 22:48:26.757482338 +0000
+++ php-5.3.29/ext/standard/var_unserializer.c	2015-04-02 23:00:24.863474225 +0000
@@ -300,7 +300,7 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
-			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 				var_push_dtor(var_hash, old_data);
 			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
diff -urN php-5.3.29.cve-2014-8142/ext/standard/var_unserializer.re php-5.3.29/ext/standard/var_unserializer.re
--- php-5.3.29.cve-2014-8142/ext/standard/var_unserializer.re	2015-04-02 22:48:26.757482338 +0000
+++ php-5.3.29/ext/standard/var_unserializer.re	2015-04-02 23:00:34.325606113 +0000
@@ -304,7 +304,7 @@
 		} else {
 			/* object properties should include no integers */
 			convert_to_string(key);
-			if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+			if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
 				var_push_dtor(var_hash, old_data);
 			}
 			zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
diff -urN php-5.3.29.cve-2014-8142/NEWS php-5.3.29/NEWS
--- php-5.3.29.cve-2014-8142/NEWS	2015-04-02 22:48:26.755482310 +0000
+++ php-5.3.29/NEWS	2015-04-02 22:49:25.199294154 +0000
@@ -1,5 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+2 Apr 2015, PHP 5.3.29 (Security Release)
+- Core:
+  . Fix bug #68710 (Use after free vulnerability in unserialize(), incomplete
+    fix for #68594). (Stefan Esser) (joemiller/pantheon)
+
 7 Jan 2015, PHP 5.3.29 (Security Release)
 - Core:
   . Fixed bug #68594 (Use after free vulnerability in unserialize()). (fujin)

NOTE: This must be applied to php-5.3.29 source AFTER the patch from https://gist.github.com/joemiller/cf7ef21a4880e1c11fb3 is applied.

adapted from: php/php-src@b585a3a