From ba3d1956ebc838a191bdc31ba66a89c94cb98441 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 29 Dec 2018 17:56:36 -0800 Subject: Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) (cherry picked from commit 4fc0bceb7c39be206c73f69993e3936ef329f656) --- NEWS | 3 +++ ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++ ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++ 3 files changed, 16 insertions(+) create mode 100644 ext/xmlrpc/tests/bug77242.phpt diff --git a/NEWS b/NEWS index cdee3d178a..621fd2f207 100644 --- a/NEWS +++ b/NEWS @@ -64,6 +64,9 @@ PHP NEWS - SQLite3: . Fixed bug #77051 (Issue with re-binding on SQLite3). (BohwaZ) +- Xmlrpc: + . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb) + 06 Dec 2018, PHP 7.3.0 - Core: diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c index 070680d4a7..86aad6108a 100644 --- a/ext/xmlrpc/libxmlrpc/xml_element.c +++ b/ext/xmlrpc/libxmlrpc/xml_element.c @@ -720,6 +720,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI long byte_idx = XML_GetCurrentByteIndex(parser); /* int byte_total = XML_GetCurrentByteCount(parser); */ const char * error_str = XML_ErrorString(err_code); + if(byte_idx > len) { + byte_idx = len; + } if(byte_idx >= 0) { snprintf(buf, sizeof(buf), diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt new file mode 100644 index 0000000000..542c06311f --- /dev/null +++ b/ext/xmlrpc/tests/bug77242.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #77242 (heap out of bounds read in xmlrpc_decode()) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +NULL \ No newline at end of file -- cgit v1.2.1