diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-01-06 12:50:10 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-01-06 12:50:10 -0800 |
| commit | 0f148839b5944df8f36624df53aa8d7199718f19 (patch) | |
| tree | 83544948712a768192d7f809c7683ecf48a4efe9 /ext/xmlrpc | |
| parent | 3d9624e126366fe924f1374206e29c88a75c9361 (diff) | |
| parent | e617f03066ce81d26f56c06d6bd7787c7de08703 (diff) | |
| download | php-git-0f148839b5944df8f36624df53aa8d7199718f19.tar.gz | |
Merge branch 'PHP-7.3'
* PHP-7.3:
Fix #77367: Negative size parameter in mb_split
Fix #77369 - memcpy with negative length via crafted DNS response
Fix more issues with encodilng length
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
Fix #77269: Potential unsigned underflow in gdImageScale
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
Regenerate certs for openssl tests
Diffstat (limited to 'ext/xmlrpc')
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/base64.c | 4 | ||||
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/xml_element.c | 3 | ||||
| -rw-r--r-- | ext/xmlrpc/tests/bug77242.phpt | 10 | ||||
| -rw-r--r-- | ext/xmlrpc/tests/bug77380.phpt | 17 |
4 files changed, 32 insertions, 2 deletions
diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c index 0739a71561..979e46c3f4 100644 --- a/ext/xmlrpc/libxmlrpc/base64.c +++ b/ext/xmlrpc/libxmlrpc/base64.c @@ -74,7 +74,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length) while (!hiteof) { unsigned char igroup[3], ogroup[4]; - int c, n; + int c, n; igroup[0] = igroup[1] = igroup[2] = 0; for (n = 0; n < 3; n++) { @@ -166,7 +166,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) return; } - if (dtable[c] & 0x80) { + if (dtable[(unsigned char)c] & 0x80) { /* fprintf(stderr, "Offset %i length %i\n", offset, length); fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c index 070680d4a7..86aad6108a 100644 --- a/ext/xmlrpc/libxmlrpc/xml_element.c +++ b/ext/xmlrpc/libxmlrpc/xml_element.c @@ -720,6 +720,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI long byte_idx = XML_GetCurrentByteIndex(parser); /* int byte_total = XML_GetCurrentByteCount(parser); */ const char * error_str = XML_ErrorString(err_code); + if(byte_idx > len) { + byte_idx = len; + } if(byte_idx >= 0) { snprintf(buf, sizeof(buf), diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt new file mode 100644 index 0000000000..542c06311f --- /dev/null +++ b/ext/xmlrpc/tests/bug77242.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #77242 (heap out of bounds read in xmlrpc_decode()) +--SKIPIF-- +<?php if (!extension_loaded("xmlrpc")) print "skip"; ?> +--FILE-- +<?php +var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"))); +?> +--EXPECT-- +NULL
\ No newline at end of file diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt new file mode 100644 index 0000000000..8559c07a5a --- /dev/null +++ b/ext/xmlrpc/tests/bug77380.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #77380 (Global out of bounds read in xmlrpc base64 code) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php +var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="))); +?> +--EXPECT-- +object(stdClass)#1 (2) { + ["scalar"]=> + string(0) "" + ["xmlrpc_type"]=> + string(6) "base64" +} |