diff options
author | Stanislav Malyshev <stas@php.net> | 2019-01-01 17:15:20 -0800 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-07 13:41:05 +0100 |
commit | 027f68ff10a439c5c331bcbfdd6eb2a5fca0948a (patch) | |
tree | b98965c16c304f2d9e296f4335f037550e1bbf17 | |
parent | c1edfc748b88ef025edd23553888536ed62dc38e (diff) | |
download | php-git-027f68ff10a439c5c331bcbfdd6eb2a5fca0948a.tar.gz |
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
(cherry picked from commit 1cc2182bcc81e185c14837e659d12b268cb99d63)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/xmlrpc/libxmlrpc/base64.c | 4 | ||||
-rw-r--r-- | ext/xmlrpc/tests/bug77380.phpt | 17 |
3 files changed, 20 insertions, 2 deletions
@@ -72,6 +72,7 @@ PHP NEWS - Xmlrpc: . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) + . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas) 06 Dec 2018, PHP 7.3.0 diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c index 0739a71561..979e46c3f4 100644 --- a/ext/xmlrpc/libxmlrpc/base64.c +++ b/ext/xmlrpc/libxmlrpc/base64.c @@ -74,7 +74,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length) while (!hiteof) { unsigned char igroup[3], ogroup[4]; - int c, n; + int c, n; igroup[0] = igroup[1] = igroup[2] = 0; for (n = 0; n < 3; n++) { @@ -166,7 +166,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) return; } - if (dtable[c] & 0x80) { + if (dtable[(unsigned char)c] & 0x80) { /* fprintf(stderr, "Offset %i length %i\n", offset, length); fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt new file mode 100644 index 0000000000..8559c07a5a --- /dev/null +++ b/ext/xmlrpc/tests/bug77380.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #77380 (Global out of bounds read in xmlrpc base64 code) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php +var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="))); +?> +--EXPECT-- +object(stdClass)#1 (2) { + ["scalar"]=> + string(0) "" + ["xmlrpc_type"]=> + string(6) "base64" +} |