My Alpine packages repository.
https://dryabzhinsky.noip.me/packages/en/alpinelinux-support/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
67 lines
2.1 KiB
67 lines
2.1 KiB
7 months ago
|
Index: php5-5.4.45/ext/xmlrpc/tests/bug70728.phpt
|
||
|
|
===================================================================
|
||
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||
|
|
+++ php5-5.4.45/ext/xmlrpc/tests/bug70728.phpt 2016-06-19 11:49:38.000000000 +0200
|
||
|
|
@@ -0,0 +1,30 @@
|
||
|
|
+--TEST--
|
||
|
|
+Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
|
||
|
|
+--SKIPIF--
|
||
|
|
+<?php
|
||
|
|
+if (!extension_loaded("xmlrpc")) print "skip";
|
||
|
|
+?>
|
||
|
|
+--FILE--
|
||
|
|
+<?php
|
||
|
|
+$obj = new stdClass;
|
||
|
|
+$obj->xmlrpc_type = 'base64';
|
||
|
|
+$obj->scalar = 0x1122334455;
|
||
|
|
+var_dump(xmlrpc_encode($obj));
|
||
|
|
+var_dump($obj);
|
||
|
|
+?>
|
||
|
|
+--EXPECTF--
|
||
|
|
+string(135) "<?xml version="1.0" encoding="utf-8"?>
|
||
|
|
+<params>
|
||
|
|
+<param>
|
||
|
|
+ <value>
|
||
|
|
+ <base64>NzM1ODgyMjkyMDU= </base64>
|
||
|
|
+ </value>
|
||
|
|
+</param>
|
||
|
|
+</params>
|
||
|
|
+"
|
||
|
|
+object(stdClass)#1 (2) {
|
||
|
|
+ ["xmlrpc_type"]=>
|
||
|
|
+ string(6) "base64"
|
||
|
|
+ ["scalar"]=>
|
||
|
|
+ int(73588229205)
|
||
|
|
+}
|
||
|
|
Index: php5-5.4.45/ext/xmlrpc/xmlrpc-epi-php.c
|
||
|
|
===================================================================
|
||
|
|
--- php5-5.4.45.orig/ext/xmlrpc/xmlrpc-epi-php.c 2016-06-19 11:49:11.000000000 +0200
|
||
|
|
+++ php5-5.4.45/ext/xmlrpc/xmlrpc-epi-php.c 2016-06-19 11:49:11.000000000 +0200
|
||
|
|
@@ -532,7 +532,16 @@
|
||
|
|
xReturn = XMLRPC_CreateValueEmpty();
|
||
|
|
XMLRPC_SetValueID(xReturn, key, 0);
|
||
|
|
} else {
|
||
|
|
- xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
|
||
|
|
+ if (Z_TYPE_P(val) != IS_STRING) {
|
||
|
|
+ zval *newvalue;
|
||
|
|
+ ALLOC_INIT_ZVAL(newvalue);
|
||
|
|
+ MAKE_COPY_ZVAL(&val, newvalue);
|
||
|
|
+ convert_to_string(newvalue);
|
||
|
|
+ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
|
||
|
|
+ zval_ptr_dtor(&newvalue);
|
||
|
|
+ } else {
|
||
|
|
+ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
break;
|
||
|
|
case xmlrpc_datetime:
|
||
|
|
@@ -1452,7 +1461,7 @@
|
||
|
|
if (newvalue) {
|
||
|
|
zval** val;
|
||
|
|
|
||
|
|
- if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
|
||
|
|
+ if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
|
||
|
|
if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
|
||
|
|
*newvalue = *val;
|
||
|
|
}
|