diff options
author | Stanislav Malyshev <stas@php.net> | 2018-12-29 17:56:36 -0800 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-07 13:18:57 +0100 |
commit | ba3d1956ebc838a191bdc31ba66a89c94cb98441 (patch) | |
tree | 1cbbd134137dd294b45ccffd479909bd0f468c73 | |
parent | 4371c1a8b51f53afab99855983018ff0fbc38e7f (diff) | |
download | php-git-ba3d1956ebc838a191bdc31ba66a89c94cb98441.tar.gz |
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
(cherry picked from commit 4fc0bceb7c39be206c73f69993e3936ef329f656)
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/xmlrpc/libxmlrpc/xml_element.c | 3 | ||||
-rw-r--r-- | ext/xmlrpc/tests/bug77242.phpt | 10 |
3 files changed, 16 insertions, 0 deletions
@@ -64,6 +64,9 @@ PHP NEWS - SQLite3: . Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ) +- Xmlrpc: + . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) + 06 Dec 2018, PHP 7.3.0 - Core: diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c index 070680d4a7..86aad6108a 100644 --- a/ext/xmlrpc/libxmlrpc/xml_element.c +++ b/ext/xmlrpc/libxmlrpc/xml_element.c @@ -720,6 +720,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI long byte_idx = XML_GetCurrentByteIndex(parser); /* int byte_total = XML_GetCurrentByteCount(parser); */ const char * error_str = XML_ErrorString(err_code); + if(byte_idx > len) { + byte_idx = len; + } if(byte_idx >= 0) { snprintf(buf, sizeof(buf), diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt new file mode 100644 index 0000000000..542c06311f --- /dev/null +++ b/ext/xmlrpc/tests/bug77242.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #77242 (heap out of bounds read in xmlrpc_decode()) +--SKIPIF-- +<?php if (!extension_loaded("xmlrpc")) print "skip"; ?> +--FILE-- +<?php +var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"))); +?> +--EXPECT-- +NULL
\ No newline at end of file |