summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2018-12-29 17:56:36 -0800
committerChristoph M. Becker <cmbecker69@gmx.de>2019-01-07 13:18:57 +0100
commitba3d1956ebc838a191bdc31ba66a89c94cb98441 (patch)
tree1cbbd134137dd294b45ccffd479909bd0f468c73
parent4371c1a8b51f53afab99855983018ff0fbc38e7f (diff)
downloadphp-git-ba3d1956ebc838a191bdc31ba66a89c94cb98441.tar.gz
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
(cherry picked from commit 4fc0bceb7c39be206c73f69993e3936ef329f656)
Diffstat
-rw-r--r--NEWS3
-rw-r--r--ext/xmlrpc/libxmlrpc/xml_element.c3
-rw-r--r--ext/xmlrpc/tests/bug77242.phpt10
3 files changed, 16 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index cdee3d178a..621fd2f207 100644
--- a/NEWS
+++ b/NEWS
@@ -64,6 +64,9 @@ PHP NEWS
- SQLite3:
. Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ)
+- Xmlrpc:
+ . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
+
06 Dec 2018, PHP 7.3.0
- Core:
diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 070680d4a7..86aad6108a 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -720,6 +720,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
long byte_idx = XML_GetCurrentByteIndex(parser);
/* int byte_total = XML_GetCurrentByteCount(parser); */
const char * error_str = XML_ErrorString(err_code);
+ if(byte_idx > len) {
+ byte_idx = len;
+ }
if(byte_idx >= 0) {
snprintf(buf,
sizeof(buf),
diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
new file mode 100644
index 0000000000..542c06311f
--- /dev/null
+++ b/ext/xmlrpc/tests/bug77242.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77242 (heap out of bounds read in xmlrpc_decode())
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
+?>
+--EXPECT--
+NULL \ No newline at end of file
View Lorry Controller Status