summaryrefslogtreecommitdiffstats
path: root/bug70728.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug70728.patch')
-rw-r--r--bug70728.patch80
1 files changed, 80 insertions, 0 deletions
diff --git a/bug70728.patch b/bug70728.patch
new file mode 100644
index 0000000..788eb34
--- /dev/null
+++ b/bug70728.patch
@@ -0,0 +1,80 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 4df84a648ec62b17bd8f8359452f8defd1026167 Mon Sep 17 00:00:00 2001
+From: Julien Pauli <jpauli@php.net>
+Date: Tue, 22 Dec 2015 14:28:19 +0100
+Subject: [PATCH] Fixed #70728
+
+---
+ ext/xmlrpc/tests/bug70728.phpt | 30 ++++++++++++++++++++++++++++++
+ ext/xmlrpc/xmlrpc-epi-php.c | 13 +++++++++++--
+ 2 files changed, 41 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug70728.phpt
+
+diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt
+new file mode 100644
+index 0000000..5510c33
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug70728.phpt
+@@ -0,0 +1,30 @@
++--TEST--
++Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++$obj = new stdClass;
++$obj->xmlrpc_type = 'base64';
++$obj->scalar = 0x1122334455;
++var_dump(xmlrpc_encode($obj));
++var_dump($obj);
++?>
++--EXPECTF--
++string(135) "<?xml version="1.0" encoding="utf-8"?>
++<params>
++<param>
++ <value>
++ <base64>NzM1ODgyMjkyMDU=&#10;</base64>
++ </value>
++</param>
++</params>
++"
++object(stdClass)#1 (2) {
++ ["xmlrpc_type"]=>
++ string(6) "base64"
++ ["scalar"]=>
++ int(73588229205)
++}
+diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
+index 613892c..6c76434 100644
+--- a/ext/xmlrpc/xmlrpc-epi-php.c
++++ b/ext/xmlrpc/xmlrpc-epi-php.c
+@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
+ xReturn = XMLRPC_CreateValueEmpty();
+ XMLRPC_SetValueID(xReturn, key, 0);
+ } else {
+- xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
++ if (Z_TYPE_P(val) != IS_STRING) {
++ zval *newvalue;
++ ALLOC_INIT_ZVAL(newvalue);
++ MAKE_COPY_ZVAL(&val, newvalue);
++ convert_to_string(newvalue);
++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
++ zval_ptr_dtor(&newvalue);
++ } else {
++ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
++ }
+ }
+ break;
+ case xmlrpc_datetime:
+@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */
+ if (newvalue) {
+ zval** val;
+
+- if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
++ if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
+ if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
+ *newvalue = *val;
+ }