diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-09-28 17:33:44 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-10-13 23:12:11 -0700 |
| commit | 88412772d295ebf7dd34409534507dc9bcac726e (patch) | |
| tree | 4aef8c94d41ec2adef5b26dc5afca680130bd16c | |
| parent | 82b07b62c06e9e55ab3590f20bd80a84ce73a801 (diff) | |
| download | php-git-88412772d295ebf7dd34409534507dc9bcac726e.tar.gz | |
Fix bug #68027 - fix date parsing in XMLRPC lib
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 | ||||
| -rw-r--r-- | ext/xmlrpc/tests/bug68027.phpt | 44 |
3 files changed, 56 insertions, 6 deletions
@@ -2,7 +2,7 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2014, PHP 5.4.34 --Fileinfo: +- Fileinfo: . Fixed bug #66242 (libmagic: don't assume char is signed). (ArdB) - Core: @@ -12,6 +12,9 @@ PHP NEWS - OpenSSL: . Reverted fixes for bug #41631, due to regressions. (Stas) +- XMLRPC: + . Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (Stas) + 18 Sep 2014, PHP 5.4.33 - Core: diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index ce70c2afd9..b766a5495a 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+4]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } tm.tm_mon --; + if(tm.tm_mon < 0 || tm.tm_mon > 11) { + return -1; + } n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+6]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+9]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+12]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+15]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt new file mode 100644 index 0000000000..a5c96f1cf2 --- /dev/null +++ b/ext/xmlrpc/tests/bug68027.phpt @@ -0,0 +1,44 @@ +--TEST-- +Bug #68027 (buffer overflow in mkgmtime() function) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php + +$d = '6-01-01 20:00:00'; +xmlrpc_set_type($d, 'datetime'); +var_dump($d); +$datetime = "2001-0-08T21:46:40-0400"; +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); +print_r($obj); + +$datetime = "34770-0-08T21:46:40-0400"; +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); +print_r($obj); + +echo "Done\n"; +?> +--EXPECTF-- +object(stdClass)#1 (3) { + ["scalar"]=> + string(16) "6-01-01 20:00:00" + ["xmlrpc_type"]=> + string(8) "datetime" + ["timestamp"]=> + int(%d) +} +stdClass Object +( + [scalar] => 2001-0-08T21:46:40-0400 + [xmlrpc_type] => datetime + [timestamp] => %s +) +stdClass Object +( + [scalar] => 34770-0-08T21:46:40-0400 + [xmlrpc_type] => datetime + [timestamp] => %d +) +Done |