diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-01-05 19:37:29 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-01-05 19:38:29 -0800 |
| commit | 13750cb0a15d8e1744f6de85b85c73f0b9939dad (patch) | |
| tree | 2123a8e8efab48e7977f5290ceb90bfa46128cd3 /ext/xmlrpc | |
| parent | 53fb2f1e5c6037a5182c2e0dcd5bac7ecdb7c150 (diff) | |
| parent | 74dcbe12997132353fd75d0c14548cff5235329f (diff) | |
| download | php-git-13750cb0a15d8e1744f6de85b85c73f0b9939dad.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
Update NEWS
Improve fix for bug #70976
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
Fixed #70728
Fixed bug #70755: fpm_log.c memory leak and buffer overflow
Fix bug #70976: fix boundary check on gdImageRotateInterpolated
typofix
Diffstat (limited to 'ext/xmlrpc')
| -rw-r--r-- | ext/xmlrpc/tests/bug70728.phpt | 30 | ||||
| -rw-r--r-- | ext/xmlrpc/xmlrpc-epi-php.c | 13 |
2 files changed, 41 insertions, 2 deletions
diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt new file mode 100644 index 0000000000..5510c33936 --- /dev/null +++ b/ext/xmlrpc/tests/bug70728.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php +$obj = new stdClass; +$obj->xmlrpc_type = 'base64'; +$obj->scalar = 0x1122334455; +var_dump(xmlrpc_encode($obj)); +var_dump($obj); +?> +--EXPECTF-- +string(135) "<?xml version="1.0" encoding="utf-8"?> +<params> +<param> + <value> + <base64>NzM1ODgyMjkyMDU= </base64> + </value> +</param> +</params> +" +object(stdClass)#1 (2) { + ["xmlrpc_type"]=> + string(6) "base64" + ["scalar"]=> + int(73588229205) +} diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 3862800b2b..e0f3463695 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep xReturn = XMLRPC_CreateValueEmpty(); XMLRPC_SetValueID(xReturn, key, 0); } else { - xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val)); + if (Z_TYPE_P(val) != IS_STRING) { + zval *newvalue; + ALLOC_INIT_ZVAL(newvalue); + MAKE_COPY_ZVAL(&val, newvalue); + convert_to_string(newvalue); + xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue)); + zval_ptr_dtor(&newvalue); + } else { + xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val)); + } } break; case xmlrpc_datetime: @@ -1451,7 +1460,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */ if (newvalue) { zval** val; - if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) { + if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) { if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) { *newvalue = *val; } |