From fe5d970fb9bac5d6db1801db7a40355810895891 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 11 Jan 2019 14:48:46 +0100 Subject: Backport xmlrpc security fix from 5.6.40 - Fix #77242 heap out of bounds read in xmlrpc_decode - Fix #77380 Global out of bounds read in xmlrpc base64 code --- bug77242.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 bug77242.patch (limited to 'bug77242.patch') diff --git a/bug77242.patch b/bug77242.patch new file mode 100644 index 0000000..485ed8a --- /dev/null +++ b/bug77242.patch @@ -0,0 +1,42 @@ +From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 29 Dec 2018 17:56:36 -0800 +Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) + +--- + ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++ + ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++ + 2 files changed, 13 insertions(+) + create mode 100644 ext/xmlrpc/tests/bug77242.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c +index 56642d46142e..eeec5379bf68 100644 +--- a/ext/xmlrpc/libxmlrpc/xml_element.c ++++ b/ext/xmlrpc/libxmlrpc/xml_element.c +@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI + long byte_idx = XML_GetCurrentByteIndex(parser); + /* int byte_total = XML_GetCurrentByteCount(parser); */ + const char * error_str = XML_ErrorString(err_code); ++ if(byte_idx > len) { ++ byte_idx = len; ++ } + if(byte_idx >= 0) { + snprintf(buf, + sizeof(buf), +diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt +new file mode 100644 +index 000000000000..542c06311f74 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77242.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77242 (heap out of bounds read in xmlrpc_decode()) ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++NULL +\ No newline at end of file -- cgit