From 3ba80f05620ff05dc3835de45f7d22eba11cca67 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 11 Jan 2019 14:14:31 +0100 Subject: Backport xmlrpc security fix from 5.6.40 - Fix #77242 heap out of bounds read in xmlrpc_decode - Fix #77380 Global out of bounds read in xmlrpc base64 code --- bug77380.patch | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 bug77380.patch (limited to 'bug77380.patch') diff --git a/bug77380.patch b/bug77380.patch new file mode 100644 index 0000000..d3db7db --- /dev/null +++ b/bug77380.patch @@ -0,0 +1,52 @@ +Backported for 5.4 from: + + + +From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- + ext/xmlrpc/libxmlrpc/base64.c | 4 ++-- + ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug77380.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31f7ade..a4fa19327b76 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt +new file mode 100644 +index 000000000000..8559c07a5aea +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77380.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #77380 (Global out of bounds read in xmlrpc base64 code) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++object(stdClass)#1 (2) { ++ ["scalar"]=> ++ string(0) "" ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++} -- cgit