My Alpine packages repository.
https://dryabzhinsky.noip.me/packages/en/alpinelinux-support/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
2.1 KiB
76 lines
2.1 KiB
Index: php5-5.4.45/ext/wddx/tests/bug72749.phpt |
|
=================================================================== |
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000 |
|
+++ php5-5.4.45/ext/wddx/tests/bug72749.phpt 2016-12-09 15:45:36.387804112 +0100 |
|
@@ -0,0 +1,34 @@ |
|
+--TEST-- |
|
+Bug #72749: wddx_deserialize allows illegal memory access |
|
+--SKIPIF-- |
|
+<?php |
|
+if (!extension_loaded('wddx')) { |
|
+ die('skip. wddx not available'); |
|
+} |
|
+?> |
|
+--FILE-- |
|
+<?php |
|
+$xml = <<<XML |
|
+<?xml version='1.0'?> |
|
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> |
|
+<wddxPacket version='1.0'> |
|
+<header/> |
|
+ <data> |
|
+ <struct> |
|
+ <var name='aDateTime3'> |
|
+ <dateTime>2\r2004-09-10T05:52:49+00</dateTime> |
|
+ </var> |
|
+ </struct> |
|
+ </data> |
|
+</wddxPacket> |
|
+XML; |
|
+ |
|
+$array = wddx_deserialize($xml); |
|
+var_dump($array); |
|
+?> |
|
+--EXPECT-- |
|
+array(1) { |
|
+ ["aDateTime3"]=> |
|
+ string(24) "2 |
|
+2004-09-10T05:52:49+00" |
|
+} |
|
Index: php5-5.4.45/ext/wddx/wddx.c |
|
=================================================================== |
|
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 15:45:36.395803891 +0100 |
|
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 15:45:36.391804001 +0100 |
|
@@ -1105,18 +1105,26 @@ |
|
case ST_DATETIME: { |
|
char *tmp; |
|
|
|
- tmp = emalloc(len + 1); |
|
- memcpy(tmp, s, len); |
|
+ if (Z_TYPE_P(ent->data) == IS_STRING) { |
|
+ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1); |
|
+ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data)); |
|
+ memcpy(tmp + Z_STRLEN_P(ent->data), s, len); |
|
+ len += Z_STRLEN_P(ent->data); |
|
+ efree(Z_STRVAL_P(ent->data)); |
|
+ Z_TYPE_P(ent->data) = IS_LONG; |
|
+ } else { |
|
+ tmp = emalloc(len + 1); |
|
+ memcpy(tmp, s, len); |
|
+ } |
|
tmp[len] = '\0'; |
|
|
|
Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL); |
|
/* date out of range < 1969 or > 2038 */ |
|
if (Z_LVAL_P(ent->data) == -1) { |
|
- Z_TYPE_P(ent->data) = IS_STRING; |
|
- Z_STRLEN_P(ent->data) = len; |
|
- Z_STRVAL_P(ent->data) = estrndup(s, len); |
|
+ ZVAL_STRINGL(ent->data, tmp, len, 0); |
|
+ } else { |
|
+ efree(tmp); |
|
} |
|
- efree(tmp); |
|
} |
|
break; |
|
|
|
|