You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
alpine-pkg/testing/php5.4/d06-u012-CVE-2016-7418.patch

180 lines
4.8 KiB

Index: php5-5.4.45/ext/wddx/tests/bug73065.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug73065.phpt 2016-12-09 16:05:00.999570678 +0100
@@ -0,0 +1,98 @@
+--TEST--
+Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml1 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <var Name="name">
+ <boolean value="keliu"></boolean>
+ </var>
+ <var name="1111">
+ <var name="2222">
+ <var name="3333"></var>
+ </var>
+ </var>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml2 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <char Name="code">
+ <boolean value="keliu"></boolean>
+ </char>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml3 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <boolean Name="value">
+ <boolean value="keliu"></boolean>
+ </boolean>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml4 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <recordset Name="fieldNames">
+ <boolean value="keliu"></boolean>
+ </recordset>
+ </array>
+ </wddxPacket>
+XML;
+
+$xml5 = <<<XML
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <field Name="name">
+ <boolean value="keliu"></boolean>
+ </field>
+ </array>
+ </wddxPacket>
+XML;
+
+for($i=1;$i<=5;$i++) {
+ $xmlvar = "xml$i";
+ $array = wddx_deserialize($$xmlvar);
+ var_dump($array);
+}
+?>
+DONE
+--EXPECTF--
+array(0) {
+}
+array(0) {
+}
+array(0) {
+}
+array(1) {
+ [0]=>
+ array(0) {
+ }
+}
+array(0) {
+}
+DONE
\ No newline at end of file
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-12-09 16:05:01.003570567 +0100
+++ php5-5.4.45/ext/wddx/wddx.c 2016-12-09 16:05:56.586031433 +0100
@@ -773,10 +773,10 @@
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
char tmp_buf[2];
- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16));
+ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16));
php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf));
break;
}
@@ -794,7 +794,7 @@
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
@@ -802,7 +802,7 @@
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
- php_wddx_process_data(user_data, atts[i], strlen(atts[i]));
+ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
}
@@ -835,8 +835,8 @@
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
- stack->varname = estrdup(atts[i]);
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+ stack->varname = estrdup(atts[i+1]);
break;
}
}
@@ -849,11 +849,12 @@
array_init(ent.data);
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
zval *tmp;
char *key;
char *p1, *p2, *endp;
+ i++;
endp = (char *)atts[i] + strlen(atts[i]);
p1 = (char *)atts[i];
while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
@@ -885,13 +886,13 @@
ent.data = NULL;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
st_entry *recordset;
zval **field;
if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
recordset->type == ST_RECORDSET &&
- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
+ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) {
ent.data = *field;
}