You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

85 lines
2.5 KiB

From: Markus Koschany <apo@debian.org>
Date: Sun, 16 Jul 2017 18:15:19 +0200
Subject: CVE-2017-11143
Bug-Upstream: https://bugs.php.net/bug.php?id=74145
Origin: https://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
Origin: http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9
---
ext/wddx/tests/bug74145.phpt | 16 ++++++++++++++++
ext/wddx/tests/bug74145.xml | 9 +++++++++
ext/wddx/wddx.c | 10 ++++++----
3 files changed, 31 insertions(+), 4 deletions(-)
create mode 100644 ext/wddx/tests/bug74145.phpt
create mode 100644 ext/wddx/tests/bug74145.xml
diff --git a/ext/wddx/tests/bug74145.phpt b/ext/wddx/tests/bug74145.phpt
new file mode 100644
index 0000000..a99a117
--- /dev/null
+++ b/ext/wddx/tests/bug74145.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$data = file_get_contents(__DIR__ . '/bug74145.xml');
+$wddx = wddx_deserialize($data);
+var_dump($wddx);
+?>
+DONE
+--EXPECTF--
+NULL
+DONE
\ No newline at end of file
diff --git a/ext/wddx/tests/bug74145.xml b/ext/wddx/tests/bug74145.xml
new file mode 100644
index 0000000..e5d35fb
--- /dev/null
+++ b/ext/wddx/tests/bug74145.xml
@@ -0,0 +1,9 @@
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <var Name="name">
+ <boolean ></boolean>
+ </var>
+ </array>
+ </wddxPacket>
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d401b62..3293d62 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -795,20 +795,22 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
if (atts) for (i = 0; atts[i]; i++) {
if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
- ent.type = ST_BOOLEAN;
- SET_STACK_VARNAME;
-
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
} else {
+ ALLOC_ZVAL(ent.data);
+ INIT_PZVAL(ent.data);
+ Z_TYPE_P(ent.data) = IS_BOOL;
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
- ZVAL_FALSE(&ent.data);
+ ZVAL_FALSE(ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {