Fixed #70728

diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt
new file mode 100644 (file)
index 0000000..5510c33
--- /dev/null
+++ b/ext/xmlrpc/tests/bug70728.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$obj = new stdClass;
+$obj->xmlrpc_type = 'base64';
+$obj->scalar = 0x1122334455;
+var_dump(xmlrpc_encode($obj));
+var_dump($obj);
+?>
+--EXPECTF--    
+string(135) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <base64>NzM1ODgyMjkyMDU=&#10;</base64>
+ </value>
+</param>
+</params>
+"
+object(stdClass)#1 (2) {
+  ["xmlrpc_type"]=>
+  string(6) "base64"
+  ["scalar"]=>
+  int(73588229205)
+}

diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 613892ce24ef8632481fb7787cc11e0890c60a20..6c764347f52ae7be2405310ea54e9602426b2f57 100644 (file)
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
                                                xReturn = XMLRPC_CreateValueEmpty();
                                                XMLRPC_SetValueID(xReturn, key, 0);
                                        } else {
-                                               xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
+                                               if (Z_TYPE_P(val) != IS_STRING) {
+                                                       zval *newvalue;
+                                                       ALLOC_INIT_ZVAL(newvalue);
+                                                       MAKE_COPY_ZVAL(&val, newvalue);
+                                                       convert_to_string(newvalue);
+                                                       xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
+                                                       zval_ptr_dtor(&newvalue);
+                                               } else {
+                                                       xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
+                                               }
                                        }
                                        break;
                                case xmlrpc_datetime:
@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */
                if (newvalue) {
                        zval** val;
 
-                       if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
+                       if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
                                if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
                                        *newvalue = *val;
                                }