Merge branch 'PHP-5.4.45' into PHP-5.4

* PHP-5.4.45:
  Improve fix for #70172
  Fix bug #70312 - HAVAL gives wrong hashes in specific cases
  fix test
  add test
  Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
  Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
  Fix bug #70172 - Use After Free Vulnerability in unserialize()
  Fix bug #70388 - SOAP serialize_function_call() type confusion
  Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
  Improve fix for #70385
  Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
  Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
  Fix bug #70219 (Use after free vulnerability in session deserializer)
  Fix for bug #69782

1 files changed, 2 insertions, 0 deletions

diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 5d94a3b7b3..6a2e3211e5 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
 		}
+		var_push_dtor(&var_hash, &pentry);
 		if(Z_TYPE_P(pentry) != IS_OBJECT) {
 			zval_ptr_dtor(&pentry);
 			goto outexcept;
@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 				zval_ptr_dtor(&pinf);
 				goto outexcept;
 			}
+			var_push_dtor(&var_hash, &pinf);
 		}
 
 		hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);