Fix bug #77242 (heap out of bounds read in xmlrpc_decode())

author: Stanislav Malyshev <stas@php.net> 2018-12-29 17:56:36 -0800
committer: Stanislav Malyshev <stas@php.net> 2019-01-06 11:33:25 -0800
commit: 4fc0bceb7c39be206c73f69993e3936ef329f656 (patch)
tree: 6aa306b29d0500032ccf9641cc4cea99be447bd8 /ext
parent: f51062523d03911cc141507112e3ce14b41f73a2 (diff)
download: php-git-4fc0bceb7c39be206c73f69993e3936ef329f656.tar.gz
2 files changed, 13 insertions, 0 deletions
diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 56642d4614..eeec5379bf 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
          long byte_idx = XML_GetCurrentByteIndex(parser);
 /*         int byte_total = XML_GetCurrentByteCount(parser); */
          const char * error_str = XML_ErrorString(err_code);
+         if(byte_idx > len) {
+             byte_idx = len;
+         }
          if(byte_idx >= 0) {
              snprintf(buf, 
                       sizeof(buf),
diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
new file mode 100644
index 0000000000..542c06311f
--- /dev/null
+++ b/ext/xmlrpc/tests/bug77242.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77242 (heap out of bounds read in xmlrpc_decode())
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
+?>
+--EXPECT--
+NULL
+\ No newline at end of file
author	Stanislav Malyshev <stas@php.net>	2018-12-29 17:56:36 -0800
committer	Stanislav Malyshev <stas@php.net>	2019-01-06 11:33:25 -0800
commit	4fc0bceb7c39be206c73f69993e3936ef329f656 (patch)
tree	6aa306b29d0500032ccf9641cc4cea99be447bd8 /ext
parent	f51062523d03911cc141507112e3ce14b41f73a2 (diff)
download	php-git-4fc0bceb7c39be206c73f69993e3936ef329f656.tar.gz