MFB: Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime

values).

diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index 3c192d93f674f87b8177ebc3d70568a708f25e32..cf1f0a5167439494a6da4525ee49710f14055987 100644 (file)
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -43,6 +43,9 @@ static const char rcsid[] = "#(@) $Id$";
  *   9/1999 - 10/2000
  * HISTORY
  *   $Log$
+ *   Revision 1.11  2007/06/07 09:07:12  tony2001
+ *   php_localtime_r() checks
+ *
  *   Revision 1.10  2007/01/01 09:29:33  sebastian
  *   Bump year.
  *
@@ -176,7 +179,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
                        }
                        p++;
                }
-               text = buf;
+                       text = buf;
        }
 
 
@@ -186,15 +189,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
       return -1;
    }
 
+#define XMLRPC_IS_NUMBER(x) if (x < '0' || x > '9') return -1;
+
    n = 1000;
    tm.tm_year = 0;
    for(i = 0; i < 4; i++) {
+      XMLRPC_IS_NUMBER(text[i])
       tm.tm_year += (text[i]-'0')*n;
       n /= 10;
    }
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
@@ -203,6 +210,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -210,6 +218,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -217,6 +226,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -224,6 +234,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }

diff --git a/ext/xmlrpc/tests/bug42189.phpt b/ext/xmlrpc/tests/bug42189.phpt
new file mode 100644 (file)
index 0000000..55e726c
--- /dev/null
+++ b/ext/xmlrpc/tests/bug42189.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates)
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+$a = '~~~~~~~~~~~~~~~~~~';
+$ok = xmlrpc_set_type($a, 'datetime');
+var_dump($ok);
+
+echo "Done\n";
+?>
+--EXPECT--     
+bool(false)
+Done

diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 8c891d4659de84fafa0966dfb30e9a4a09a5cca7..a49448f224c79a27fda294ddaa928518e8ff004e 100644 (file)
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -1313,8 +1313,12 @@ int set_zval_xmlrpc_type(zval* value, XMLRPC_VALUE_TYPE newtype) /* {{{ */
                                                if(SUCCESS == zend_hash_update(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void *) &type, sizeof(zval *), NULL)) {
                                                        bSuccess = zend_hash_update(Z_OBJPROP_P(value), OBJECT_VALUE_TS_ATTR, sizeof(OBJECT_VALUE_TS_ATTR), (void *) &ztimestamp, sizeof(zval *), NULL);
                                                }
+                                       } else {
+                                               zval_ptr_dtor(&type);
                                        }
                                        XMLRPC_CleanupValue(v);
+                               } else {
+                                       zval_ptr_dtor(&type);
                                }
                        }
                        else {