You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

76 lines
2.1 KiB

Index: php5-5.4.45/ext/wddx/tests/bug72749.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72749.phpt 2016-12-09 15:45:36.387804112 +0100
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72749: wddx_deserialize allows illegal memory access
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+$xml = <<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <var name='aDateTime3'>
+ <dateTime>2\r2004-09-10T05:52:49+00</dateTime>
+ </var>
+ </struct>
+ </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+ ["aDateTime3"]=>
+ string(24) "2
+2004-09-10T05:52:49+00"
+}
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 15:45:36.395803891 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 15:45:36.391804001 +0100
@@ -1105,18 +1105,26 @@
case ST_DATETIME: {
char *tmp;
- tmp = emalloc(len + 1);
- memcpy(tmp, s, len);
+ if (Z_TYPE_P(ent->data) == IS_STRING) {
+ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1);
+ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data));
+ memcpy(tmp + Z_STRLEN_P(ent->data), s, len);
+ len += Z_STRLEN_P(ent->data);
+ efree(Z_STRVAL_P(ent->data));
+ Z_TYPE_P(ent->data) = IS_LONG;
+ } else {
+ tmp = emalloc(len + 1);
+ memcpy(tmp, s, len);
+ }
tmp[len] = '\0';
Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL);
/* date out of range < 1969 or > 2038 */
if (Z_LVAL_P(ent->data) == -1) {
- Z_TYPE_P(ent->data) = IS_STRING;
- Z_STRLEN_P(ent->data) = len;
- Z_STRVAL_P(ent->data) = estrndup(s, len);
+ ZVAL_STRINGL(ent->data, tmp, len, 0);
+ } else {
+ efree(tmp);
}
- efree(tmp);
}
break;