My Alpine packages repository.
https://dryabzhinsky.noip.me/packages/en/alpinelinux-support/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
180 lines
4.8 KiB
180 lines
4.8 KiB
Index: php5-5.4.45/ext/wddx/tests/bug73065.phpt |
|
=================================================================== |
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000 |
|
+++ php5-5.4.45/ext/wddx/tests/bug73065.phpt 2016-12-09 16:05:00.999570678 +0100 |
|
@@ -0,0 +1,98 @@ |
|
+--TEST-- |
|
+Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c |
|
+--SKIPIF-- |
|
+<?php |
|
+if (!extension_loaded('wddx')) { |
|
+ die('skip. wddx not available'); |
|
+} |
|
+?> |
|
+--FILE-- |
|
+<?php |
|
+ |
|
+$xml1 = <<<XML |
|
+<?xml version='1.0' ?> |
|
+ <!DOCTYPE et SYSTEM 'w'> |
|
+ <wddxPacket ven='1.0'> |
|
+ <array> |
|
+ <var Name="name"> |
|
+ <boolean value="keliu"></boolean> |
|
+ </var> |
|
+ <var name="1111"> |
|
+ <var name="2222"> |
|
+ <var name="3333"></var> |
|
+ </var> |
|
+ </var> |
|
+ </array> |
|
+ </wddxPacket> |
|
+XML; |
|
+ |
|
+$xml2 = <<<XML |
|
+<?xml version='1.0' ?> |
|
+ <!DOCTYPE et SYSTEM 'w'> |
|
+ <wddxPacket ven='1.0'> |
|
+ <array> |
|
+ <char Name="code"> |
|
+ <boolean value="keliu"></boolean> |
|
+ </char> |
|
+ </array> |
|
+ </wddxPacket> |
|
+XML; |
|
+ |
|
+$xml3 = <<<XML |
|
+<?xml version='1.0' ?> |
|
+ <!DOCTYPE et SYSTEM 'w'> |
|
+ <wddxPacket ven='1.0'> |
|
+ <array> |
|
+ <boolean Name="value"> |
|
+ <boolean value="keliu"></boolean> |
|
+ </boolean> |
|
+ </array> |
|
+ </wddxPacket> |
|
+XML; |
|
+ |
|
+$xml4 = <<<XML |
|
+<?xml version='1.0' ?> |
|
+ <!DOCTYPE et SYSTEM 'w'> |
|
+ <wddxPacket ven='1.0'> |
|
+ <array> |
|
+ <recordset Name="fieldNames"> |
|
+ <boolean value="keliu"></boolean> |
|
+ </recordset> |
|
+ </array> |
|
+ </wddxPacket> |
|
+XML; |
|
+ |
|
+$xml5 = <<<XML |
|
+<?xml version='1.0' ?> |
|
+ <!DOCTYPE et SYSTEM 'w'> |
|
+ <wddxPacket ven='1.0'> |
|
+ <array> |
|
+ <field Name="name"> |
|
+ <boolean value="keliu"></boolean> |
|
+ </field> |
|
+ </array> |
|
+ </wddxPacket> |
|
+XML; |
|
+ |
|
+for($i=1;$i<=5;$i++) { |
|
+ $xmlvar = "xml$i"; |
|
+ $array = wddx_deserialize($$xmlvar); |
|
+ var_dump($array); |
|
+} |
|
+?> |
|
+DONE |
|
+--EXPECTF-- |
|
+array(0) { |
|
+} |
|
+array(0) { |
|
+} |
|
+array(0) { |
|
+} |
|
+array(1) { |
|
+ [0]=> |
|
+ array(0) { |
|
+ } |
|
+} |
|
+array(0) { |
|
+} |
|
+DONE |
|
\ No newline at end of file |
|
Index: php5-5.4.45/ext/wddx/wddx.c |
|
=================================================================== |
|
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 16:05:01.003570567 +0100 |
|
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 16:05:56.586031433 +0100 |
|
@@ -773,10 +773,10 @@ |
|
int i; |
|
|
|
if (atts) for (i = 0; atts[i]; i++) { |
|
- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) { |
|
+ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) { |
|
char tmp_buf[2]; |
|
|
|
- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16)); |
|
+ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16)); |
|
php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf)); |
|
break; |
|
} |
|
@@ -794,7 +794,7 @@ |
|
int i; |
|
|
|
if (atts) for (i = 0; atts[i]; i++) { |
|
- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) { |
|
+ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) { |
|
ent.type = ST_BOOLEAN; |
|
SET_STACK_VARNAME; |
|
|
|
@@ -802,7 +802,7 @@ |
|
INIT_PZVAL(ent.data); |
|
Z_TYPE_P(ent.data) = IS_BOOL; |
|
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); |
|
- php_wddx_process_data(user_data, atts[i], strlen(atts[i])); |
|
+ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); |
|
break; |
|
} |
|
} |
|
@@ -835,8 +835,8 @@ |
|
int i; |
|
|
|
if (atts) for (i = 0; atts[i]; i++) { |
|
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { |
|
- stack->varname = estrdup(atts[i]); |
|
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) { |
|
+ stack->varname = estrdup(atts[i+1]); |
|
break; |
|
} |
|
} |
|
@@ -849,11 +849,12 @@ |
|
array_init(ent.data); |
|
|
|
if (atts) for (i = 0; atts[i]; i++) { |
|
- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) { |
|
+ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) { |
|
zval *tmp; |
|
char *key; |
|
char *p1, *p2, *endp; |
|
|
|
+ i++; |
|
endp = (char *)atts[i] + strlen(atts[i]); |
|
p1 = (char *)atts[i]; |
|
while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) { |
|
@@ -885,13 +886,13 @@ |
|
ent.data = NULL; |
|
|
|
if (atts) for (i = 0; atts[i]; i++) { |
|
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { |
|
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) { |
|
st_entry *recordset; |
|
zval **field; |
|
|
|
if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS && |
|
recordset->type == ST_RECORDSET && |
|
- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) { |
|
+ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) { |
|
ent.data = *field; |
|
} |
|
|
|
|