1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
Backported from 5.6.25 by Remi.
From db38282f421a5d552840aeac807efc2f584162d2 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Thu, 4 Aug 2016 00:17:42 -0700
Subject: [PATCH] Fix bug #72749: wddx_deserialize allows illegal memory access
---
ext/wddx/tests/bug72749.phpt | 34 ++++++++++++++++++++++++++++++++++
ext/wddx/wddx.c | 20 ++++++++++++++------
2 files changed, 48 insertions(+), 6 deletions(-)
create mode 100644 ext/wddx/tests/bug72749.phpt
diff --git a/ext/wddx/tests/bug72749.phpt b/ext/wddx/tests/bug72749.phpt
new file mode 100644
index 0000000..ee17d0f
--- /dev/null
+++ b/ext/wddx/tests/bug72749.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72749: wddx_deserialize allows illegal memory access
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+$xml = <<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <var name='aDateTime3'>
+ <dateTime>2\r2004-09-10T05:52:49+00</dateTime>
+ </var>
+ </struct>
+ </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+ ["aDateTime3"]=>
+ string(24) "2
+2004-09-10T05:52:49+00"
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index cde3e07..faadbfe1 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1116,18 +1116,26 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
case ST_DATETIME: {
char *tmp;
- tmp = emalloc(len + 1);
- memcpy(tmp, s, len);
+ if (Z_TYPE_P(ent->data) == IS_STRING) {
+ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1);
+ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data));
+ memcpy(tmp + Z_STRLEN_P(ent->data), s, len);
+ len += Z_STRLEN_P(ent->data);
+ efree(Z_STRVAL_P(ent->data));
+ Z_TYPE_P(ent->data) = IS_LONG;
+ } else {
+ tmp = emalloc(len + 1);
+ memcpy(tmp, s, len);
+ }
tmp[len] = '\0';
Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL);
/* date out of range < 1969 or > 2038 */
if (Z_LVAL_P(ent->data) == -1) {
- Z_TYPE_P(ent->data) = IS_STRING;
- Z_STRLEN_P(ent->data) = len;
- Z_STRVAL_P(ent->data) = estrndup(s, len);
+ ZVAL_STRINGL(ent->data, tmp, len, 0);
+ } else {
+ efree(tmp);
}
- efree(tmp);
}
break;
|
