Index: ext/standard/tests/strings/bug68710.phpt =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ ext/standard/tests/strings/bug68710.phpt 2015-02-13 11:36:32.969760122 -0500 @@ -0,0 +1,25 @@ +--TEST-- +Bug #68710 Use after free vulnerability in unserialize() (bypassing the +CVE-2014-8142 fix) +--FILE-- +aaa = array(1,2,&$u,4,5); + $m->bbb = 1; + $m->ccc = &$u; + $m->ddd = str_repeat("A", $i); + + $z = serialize($m); + $z = str_replace("aaa", "123", $z); + $z = str_replace("bbb", "123", $z); + $y = unserialize($z); + $z = serialize($y); +} +?> +===DONE=== +--EXPECTF-- +===DONE=== Index: ext/standard/var_unserializer.c =================================================================== --- ext/standard/var_unserializer.c 2015-02-13 11:36:33.009760449 -0500 +++ ext/standard/var_unserializer.c 2015-02-13 11:36:32.969760122 -0500 @@ -298,7 +298,7 @@ } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, Index: ext/standard/var_unserializer.re =================================================================== --- ext/standard/var_unserializer.re 2015-02-13 11:36:33.009760449 -0500 +++ ext/standard/var_unserializer.re 2015-02-13 11:36:32.969760122 -0500 @@ -304,7 +304,7 @@ } else { /* object properties should include no integers */ convert_to_string(key); - if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { + if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) { var_push_dtor(var_hash, old_data); } zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,