diff options
author | Raphael Geissert <geissert@php.net> | 2010-03-13 18:40:29 +0000 |
---|---|---|
committer | Raphael Geissert <geissert@php.net> | 2010-03-13 18:40:29 +0000 |
commit | d8da372fd0aa22d503b4204f4485b2d5c8ce75bd (patch) | |
tree | 29b35fb408cabb44eb325d7a735b3e49d0c3c129 | |
parent | 1c6ea06c73a2fc997c350fc9ff5cac28f7f5f22e (diff) | |
download | php-git-d8da372fd0aa22d503b4204f4485b2d5c8ce75bd.tar.gz |
Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC
requests (bug #51288)
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/xmlrpc/tests/bug51288.phpt | 14 | ||||
-rw-r--r-- | ext/xmlrpc/xmlrpc-epi-php.c | 14 |
3 files changed, 27 insertions, 4 deletions
@@ -6,6 +6,9 @@ PHP NEWS - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) +- Fixed a NULL pointer dereference when processing invalid XML-RPC + requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) + - Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam) - Fixed bug #51257 (CURL_VERSION_LARGEFILE incorrectly used after libcurl version 7.10.1). (aron dot ujvari at microsec dot hu) diff --git a/ext/xmlrpc/tests/bug51288.phpt b/ext/xmlrpc/tests/bug51288.phpt new file mode 100644 index 0000000000..d9bdef822e --- /dev/null +++ b/ext/xmlrpc/tests/bug51288.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request) +--FILE-- +<?php +$method = NULL; +$req = '<?xml version="1.0"?><methodCall></methodCall>'; +var_dump(xmlrpc_decode_request($req, $method)); +var_dump($method); +echo "Done\n"; +?> +--EXPECT-- +NULL +NULL +Done diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 4c09299a07..6f1cb0880f 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -778,6 +778,7 @@ zval* decode_request_worker(char *xml_in, int xml_in_len, char *encoding_in, zva zval* retval = NULL; XMLRPC_REQUEST response; STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; + const char *method_name; opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT; /* generate XMLRPC_REQUEST from raw xml */ @@ -788,10 +789,15 @@ zval* decode_request_worker(char *xml_in, int xml_in_len, char *encoding_in, zva if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { if (method_name_out) { - zval_dtor(method_name_out); - Z_TYPE_P(method_name_out) = IS_STRING; - Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); - Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + method_name = XMLRPC_RequestGetMethodName(response); + if (method_name) { + zval_dtor(method_name_out); + Z_TYPE_P(method_name_out) = IS_STRING; + Z_STRVAL_P(method_name_out) = estrdup(method_name); + Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + } else { + retval = NULL; + } } } |