From 08069d1e5b43644dc9cac9bd4d645304320cc0d0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 6 Jan 2016 17:23:22 +0100 Subject: PHP 5.4.45 with security patches from 5.5.31 --- bug70728.patch | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 bug70728.patch (limited to 'bug70728.patch') diff --git a/bug70728.patch b/bug70728.patch new file mode 100644 index 0000000..788eb34 --- /dev/null +++ b/bug70728.patch @@ -0,0 +1,80 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 4df84a648ec62b17bd8f8359452f8defd1026167 Mon Sep 17 00:00:00 2001 +From: Julien Pauli +Date: Tue, 22 Dec 2015 14:28:19 +0100 +Subject: [PATCH] Fixed #70728 + +--- + ext/xmlrpc/tests/bug70728.phpt | 30 ++++++++++++++++++++++++++++++ + ext/xmlrpc/xmlrpc-epi-php.c | 13 +++++++++++-- + 2 files changed, 41 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug70728.phpt + +diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt +new file mode 100644 +index 0000000..5510c33 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug70728.phpt +@@ -0,0 +1,30 @@ ++--TEST-- ++Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker) ++--SKIPIF-- ++ ++--FILE-- ++xmlrpc_type = 'base64'; ++$obj->scalar = 0x1122334455; ++var_dump(xmlrpc_encode($obj)); ++var_dump($obj); ++?> ++--EXPECTF-- ++string(135) " ++ ++ ++ ++ NzM1ODgyMjkyMDU= ++ ++ ++ ++" ++object(stdClass)#1 (2) { ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++ ["scalar"]=> ++ int(73588229205) ++} +diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c +index 613892c..6c76434 100644 +--- a/ext/xmlrpc/xmlrpc-epi-php.c ++++ b/ext/xmlrpc/xmlrpc-epi-php.c +@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep + xReturn = XMLRPC_CreateValueEmpty(); + XMLRPC_SetValueID(xReturn, key, 0); + } else { +- xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val)); ++ if (Z_TYPE_P(val) != IS_STRING) { ++ zval *newvalue; ++ ALLOC_INIT_ZVAL(newvalue); ++ MAKE_COPY_ZVAL(&val, newvalue); ++ convert_to_string(newvalue); ++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue)); ++ zval_ptr_dtor(&newvalue); ++ } else { ++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val)); ++ } + } + break; + case xmlrpc_datetime: +@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */ + if (newvalue) { + zval** val; + +- if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) { ++ if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) { + if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) { + *newvalue = *val; + } -- cgit