Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/273_php_20192108.patch
branchs11-update
changeset 4499 4e8085696007
equal deleted inserted replaced
4497:7665830787a5 4499:4e8085696007 
       
     1 CVE-2014-3668
 
       
     2 Community BUG:
 
       
     3 https://bugs.php.net/bug.php?id=68027
 
       
     4 Community CODE:
 
       
     5 http://git.php.net/?p=php-src.git;a=commit;h=88412772d295ebf7dd34409534507dc9bcac726e
 
       
     6 Below is the community patch.
 
       
     7 
       
     8 
       
     9 From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
 
       
    10 From: Stanislav Malyshev <[email protected]>
 
       
    11 Date: Sun, 28 Sep 2014 17:33:44 -0700
 
       
    12 Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
 
       
    13 
       
    14 ---
 
       
    15  NEWS                           |  5 ++++-
 
       
    16  ext/xmlrpc/libxmlrpc/xmlrpc.c  | 13 ++++++++-----
 
       
    17  ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
 
       
    18  3 files changed, 56 insertions(+), 6 deletions(-)
 
       
    19  create mode 100644 ext/xmlrpc/tests/bug68027.phpt
 
       
    20 
       
    21 diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
 
       
    22 index ce70c2a..b766a54 100644
 
       
    23 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
 
       
    24 +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
 
       
    25 @@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
 
       
    26     n = 10;
 
       
    27     tm.tm_mon = 0;
 
       
    28     for(i = 0; i < 2; i++) {
 
       
    29 -      XMLRPC_IS_NUMBER(text[i])
 
       
    30 +      XMLRPC_IS_NUMBER(text[i+4])
 
       
    31        tm.tm_mon += (text[i+4]-'0')*n;
 
       
    32        n /= 10;
 
       
    33     }
 
       
    34     tm.tm_mon --;
 
       
    35 +   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
 
       
    36 +       return -1;
 
       
    37 +   }
 
       
    38  
       
    39     n = 10;
 
       
    40     tm.tm_mday = 0;
 
       
    41     for(i = 0; i < 2; i++) {
 
       
    42 -      XMLRPC_IS_NUMBER(text[i])
 
       
    43 +      XMLRPC_IS_NUMBER(text[i+6])
 
       
    44        tm.tm_mday += (text[i+6]-'0')*n;
 
       
    45        n /= 10;
 
       
    46     }
 
       
    47 @@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
 
       
    48     n = 10;
 
       
    49     tm.tm_hour = 0;
 
       
    50     for(i = 0; i < 2; i++) {
 
       
    51 -      XMLRPC_IS_NUMBER(text[i])
 
       
    52 +      XMLRPC_IS_NUMBER(text[i+9])
 
       
    53        tm.tm_hour += (text[i+9]-'0')*n;
 
       
    54        n /= 10;
 
       
    55     }
 
       
    56 @@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
 
       
    57     n = 10;
 
       
    58     tm.tm_min = 0;
 
       
    59     for(i = 0; i < 2; i++) {
 
       
    60 -      XMLRPC_IS_NUMBER(text[i])
 
       
    61 +      XMLRPC_IS_NUMBER(text[i+12])
 
       
    62        tm.tm_min += (text[i+12]-'0')*n;
 
       
    63        n /= 10;
 
       
    64     }
 
       
    65 @@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
 
       
    66     n = 10;
 
       
    67     tm.tm_sec = 0;
 
       
    68     for(i = 0; i < 2; i++) {
 
       
    69 -      XMLRPC_IS_NUMBER(text[i])
 
       
    70 +      XMLRPC_IS_NUMBER(text[i+15])
 
       
    71        tm.tm_sec += (text[i+15]-'0')*n;
 
       
    72        n /= 10;
 
       
    73     }
 
       
    74 diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
 
       
    75 new file mode 100644
 
       
    76 index 0000000..a5c96f1
 
       
    77 --- /dev/null
 
       
    78 +++ b/ext/xmlrpc/tests/bug68027.phpt
 
       
    79 @@ -0,0 +1,44 @@
 
       
    80 +--TEST--
 
       
    81 +Bug #68027 (buffer overflow in mkgmtime() function)
 
       
    82 +--SKIPIF--
 
       
    83 +<?php
 
       
    84 +if (!extension_loaded("xmlrpc")) print "skip";
 
       
    85 +?>
 
       
    86 +--FILE--
 
       
    87 +<?php
 
       
    88 +
 
       
    89 +$d = '6-01-01 20:00:00';
 
       
    90 +xmlrpc_set_type($d, 'datetime');
 
       
    91 +var_dump($d);
 
       
    92 +$datetime = "2001-0-08T21:46:40-0400";
 
       
    93 +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
 
       
    94 +print_r($obj);
 
       
    95 +
 
       
    96 +$datetime = "34770-0-08T21:46:40-0400";
 
       
    97 +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
 
       
    98 +print_r($obj);
 
       
    99 +
 
       
   100 +echo "Done\n";
 
       
   101 +?>
 
       
   102 +--EXPECTF--	
       
   103 +object(stdClass)#1 (3) {
 
       
   104 +  ["scalar"]=>
 
       
   105 +  string(16) "6-01-01 20:00:00"
 
       
   106 +  ["xmlrpc_type"]=>
 
       
   107 +  string(8) "datetime"
 
       
   108 +  ["timestamp"]=>
 
       
   109 +  int(%d)
 
       
   110 +}
 
       
   111 +stdClass Object
 
       
   112 +(
 
       
   113 +    [scalar] => 2001-0-08T21:46:40-0400
 
       
   114 +    [xmlrpc_type] => datetime
 
       
   115 +    [timestamp] => %s
 
       
   116 +)
 
       
   117 +stdClass Object
 
       
   118 +(
 
       
   119 +    [scalar] => 34770-0-08T21:46:40-0400
 
       
   120 +    [xmlrpc_type] => datetime
 
       
   121 +    [timestamp] => %d
 
       
   122 +)
 
       
   123 +Done
 
       
   124 -- 
       
   125 2.1.4
 
       
   126
upstream/oracle/userland-gate