43 lines
1.6 KiB
Diff
43 lines
1.6 KiB
Diff
From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Sat, 29 Dec 2018 17:56:36 -0800
|
|
Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
|
|
|
|
---
|
|
ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++
|
|
ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++
|
|
2 files changed, 13 insertions(+)
|
|
create mode 100644 ext/xmlrpc/tests/bug77242.phpt
|
|
|
|
diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
|
|
index 56642d46142e..eeec5379bf68 100644
|
|
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
|
|
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
|
|
@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
|
|
long byte_idx = XML_GetCurrentByteIndex(parser);
|
|
/* int byte_total = XML_GetCurrentByteCount(parser); */
|
|
const char * error_str = XML_ErrorString(err_code);
|
|
+ if(byte_idx > len) {
|
|
+ byte_idx = len;
|
|
+ }
|
|
if(byte_idx >= 0) {
|
|
snprintf(buf,
|
|
sizeof(buf),
|
|
diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
|
|
new file mode 100644
|
|
index 000000000000..542c06311f74
|
|
--- /dev/null
|
|
+++ b/ext/xmlrpc/tests/bug77242.phpt
|
|
@@ -0,0 +1,10 @@
|
|
+--TEST--
|
|
+Bug #77242 (heap out of bounds read in xmlrpc_decode())
|
|
+--SKIPIF--
|
|
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
|
|
+--FILE--
|
|
+<?php
|
|
+var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
|
|
+?>
|
|
+--EXPECT--
|
|
+NULL
|
|
\ No newline at end of file
|
