summaryrefslogtreecommitdiffstats
path: root/php-5.4.17-CVE-2013-4013.patch
blob: dfa2c862a595f9f7e4e2af28cc0ad69ccf4ac5eb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
From 7d163e8a0880ae8af2dd869071393e5dc07ef271 Mon Sep 17 00:00:00 2001
From: Rob Richards <rrichards@php.net>
Date: Sat, 6 Jul 2013 07:53:07 -0400
Subject: [PATCH] truncate results at depth of 255 to prevent corruption

---
 ext/xml/xml.c | 90 +++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 50 insertions(+), 40 deletions(-)

diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 1f0480b..9f0bc30 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -428,7 +428,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
 	}
 	if (parser->ltags) {
 		int inx;
-		for (inx = 0; inx < parser->level; inx++)
+		for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
 			efree(parser->ltags[ inx ]);
 		efree(parser->ltags);
 	}
@@ -805,45 +805,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
 		} 
 
 		if (parser->data) {
-			zval *tag, *atr;
-			int atcnt = 0;
+			if (parser->level <= XML_MAXLEVEL)  {
+				zval *tag, *atr;
+				int atcnt = 0;
 
-			MAKE_STD_ZVAL(tag);
-			MAKE_STD_ZVAL(atr);
+				MAKE_STD_ZVAL(tag);
+				MAKE_STD_ZVAL(atr);
 
-			array_init(tag);
-			array_init(atr);
+				array_init(tag);
+				array_init(atr);
 
-			_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
+				_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
 
-			add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
-			add_assoc_string(tag,"type","open",1);
-			add_assoc_long(tag,"level",parser->level);
+				add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
+				add_assoc_string(tag,"type","open",1);
+				add_assoc_long(tag,"level",parser->level);
 
-			parser->ltags[parser->level-1] = estrdup(tag_name);
-			parser->lastwasopen = 1;
+				parser->ltags[parser->level-1] = estrdup(tag_name);
+				parser->lastwasopen = 1;
 
-			attributes = (const XML_Char **) attrs;
+				attributes = (const XML_Char **) attrs;
 
-			while (attributes && *attributes) {
-				att = _xml_decode_tag(parser, attributes[0]);
-				val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
-				
-				add_assoc_stringl(atr,att,val,val_len,0);
+				while (attributes && *attributes) {
+					att = _xml_decode_tag(parser, attributes[0]);
+					val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
 
-				atcnt++;
-				attributes += 2;
+					add_assoc_stringl(atr,att,val,val_len,0);
 
-				efree(att);
-			}
+					atcnt++;
+					attributes += 2;
 
-			if (atcnt) {
-				zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
-			} else {
-				zval_ptr_dtor(&atr);
-			}
+					efree(att);
+				}
+
+				if (atcnt) {
+					zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
+				} else {
+					zval_ptr_dtor(&atr);
+				}
 
-			zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
+				zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
+			} else if (parser->level == (XML_MAXLEVEL + 1)) {
+				TSRMLS_FETCH();
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
+			}
 		}
 
 		efree(tag_name);
@@ -895,7 +900,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
 
 		efree(tag_name);
 
-		if (parser->ltags) {
+		if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
 			efree(parser->ltags[parser->level-1]);
 		}
 
@@ -979,18 +984,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 						}
 					}
 
-					MAKE_STD_ZVAL(tag);
-					
-					array_init(tag);
-					
-					_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
+					if (parser->level <= XML_MAXLEVEL) {
+						MAKE_STD_ZVAL(tag);
 
-					add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
-					add_assoc_string(tag,"value",decoded_value,0);
-					add_assoc_string(tag,"type","cdata",1);
-					add_assoc_long(tag,"level",parser->level);
+						array_init(tag);
 
-					zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
+						_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
+
+						add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
+						add_assoc_string(tag,"value",decoded_value,0);
+						add_assoc_string(tag,"type","cdata",1);
+						add_assoc_long(tag,"level",parser->level);
+
+						zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
+					} else if (parser->level == (XML_MAXLEVEL + 1)) {
+						TSRMLS_FETCH();
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
+					}
 				}
 			} else {
 				efree(decoded_value);
-- 
1.7.11.5

From 710eee5555bc5c95692bd3c84f5d2b5d687349b6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Johannes=20Schl=C3=BCter?= <johannes@php.net>
Date: Wed, 10 Jul 2013 19:35:18 +0200
Subject: [PATCH] add test for bug #65236

---
 ext/xml/tests/bug65236.phpt | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 ext/xml/tests/bug65236.phpt

diff --git a/ext/xml/tests/bug65236.phpt b/ext/xml/tests/bug65236.phpt
new file mode 100644
index 0000000..67b26d6
--- /dev/null
+++ b/ext/xml/tests/bug65236.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #65236 (heap corruption in xml parser)
+--SKIPIF--
+<?php
+require_once("skipif.inc");
+?>
+--FILE--
+<?php
+xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);
+
+echo "Done\n";
+?>
+--EXPECTF--
+Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated in %s on line %d
+Done
-- 
1.7.11.5