diff options
author | Remi Collet <remi@remirepo.net> | 2019-01-11 14:48:46 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-01-11 14:48:46 +0100 |
commit | fe5d970fb9bac5d6db1801db7a40355810895891 (patch) | |
tree | 3afbe1d0159ac84c44bb64afe468150610278dc8 /bug77242.patch | |
parent | 474971c0b5e4ce5b004b726ece8ee41c57181ea7 (diff) |
Backport xmlrpc security fix from 5.6.40
- Fix #77242 heap out of bounds read in xmlrpc_decode
- Fix #77380 Global out of bounds read in xmlrpc base64 code
Diffstat (limited to 'bug77242.patch')
-rw-r--r-- | bug77242.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/bug77242.patch b/bug77242.patch new file mode 100644 index 0000000..485ed8a --- /dev/null +++ b/bug77242.patch @@ -0,0 +1,42 @@ +From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 17:56:36 -0800 +Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) + +--- + ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++ + ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++ + 2 files changed, 13 insertions(+) + create mode 100644 ext/xmlrpc/tests/bug77242.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c +index 56642d46142e..eeec5379bf68 100644 +--- a/ext/xmlrpc/libxmlrpc/xml_element.c ++++ b/ext/xmlrpc/libxmlrpc/xml_element.c +@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI + long byte_idx = XML_GetCurrentByteIndex(parser); + /* int byte_total = XML_GetCurrentByteCount(parser); */ + const char * error_str = XML_ErrorString(err_code); ++ if(byte_idx > len) { ++ byte_idx = len; ++ } + if(byte_idx >= 0) { + snprintf(buf, + sizeof(buf), +diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt +new file mode 100644 +index 000000000000..542c06311f74 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77242.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77242 (heap out of bounds read in xmlrpc_decode()) ++--SKIPIF-- ++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"))); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file |