summaryrefslogtreecommitdiffstats
path: root/php-bug77242.patch
blob: b6afc7867e007f46692a00ae308d7c35ce47b6ee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Backported for 7.0 by Remi


From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 29 Dec 2018 17:56:36 -0800
Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode())

---
 ext/xmlrpc/libxmlrpc/xml_element.c |  3 +++
 ext/xmlrpc/tests/bug77242.phpt     | 10 ++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 ext/xmlrpc/tests/bug77242.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 56642d46142e..eeec5379bf68 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
          long byte_idx = XML_GetCurrentByteIndex(parser);
 /*         int byte_total = XML_GetCurrentByteCount(parser); */
          const char * error_str = XML_ErrorString(err_code);
+         if(byte_idx > len) {
+             byte_idx = len;
+         }
          if(byte_idx >= 0) {
              snprintf(buf,
                       sizeof(buf),
diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
new file mode 100644
index 000000000000..542c06311f74
--- /dev/null
+++ b/ext/xmlrpc/tests/bug77242.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77242 (heap out of bounds read in xmlrpc_decode())
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
+?>
+--EXPECT--
+NULL
\ No newline at end of file