From 9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 29 Dec 2018 17:56:36 -0800
Subject: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())

---
 ext/xmlrpc/libxmlrpc/xml_element.c |  3 +++
 ext/xmlrpc/tests/bug77242.phpt     | 10 ++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 ext/xmlrpc/tests/bug77242.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 6fc6bd3977..a30b500f2f 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
          long byte_idx = XML_GetCurrentByteIndex(parser);
 /*         int byte_total = XML_GetCurrentByteCount(parser); */
          const char * error_str = XML_ErrorString(err_code);
+         if(byte_idx > len) {
+             byte_idx = len;
+         }
          if(byte_idx >= 0) {
              snprintf(buf,
                       sizeof(buf),
diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
new file mode 100644
index 0000000000..542c06311f
--- /dev/null
+++ b/ext/xmlrpc/tests/bug77242.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77242 (heap out of bounds read in xmlrpc_decode())
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
+?>
+--EXPECT--
+NULL
\ No newline at end of file
-- 
cgit v1.2.1