Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type)

author Xinchen Hui <laruence@gmail.com>

Tue, 31 May 2016 03:44:20 +0000 (11:44 +0800)

committer Xinchen Hui <laruence@gmail.com>

Tue, 31 May 2016 03:44:20 +0000 (11:44 +0800)
author Xinchen Hui <laruence@gmail.com>
Tue, 31 May 2016 03:44:20 +0000 (11:44 +0800)
committer Xinchen Hui <laruence@gmail.com>
Tue, 31 May 2016 03:44:20 +0000 (11:44 +0800)
diff --git a/NEWS b/NEWS

index 1988e935cb7a4ae556bb8bdb61f1bb1014762963..6fc0149b15139b6747dd8094ba9586635bee3860 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -33,10 +33,11 @@ PHP                                                                        NEWS
      (Thomas Punt)
  
  - XML:
-  . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
+  . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
  
  - XMLRPC:
-  . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe)
+  . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
+    (Joe, Laruence)
  
  - Zip:
    . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form).
diff --git a/ext/xmlrpc/tests/bug72155.phpt b/ext/xmlrpc/tests/bug72155.phpt

new file mode 100644 (file)

index 0000000..38c90be
--- /dev/null
+++ b/ext/xmlrpc/tests/bug72155.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #72155 (use-after-free caused by get_zval_xmlrpc_type)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$var0 = fopen("/etc/passwd","r");
+$var1 = xmlrpc_encode($var0);
+var_dump($var1);
+?>
+--EXPECTF--
+string(109) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <int>5</int>
+ </value>
+</param>
+</params>
+"
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c

index ea62bdc9a9000cdf2c527ae419e64cc13ea220a1..b5dcee8f0d10be0f7677f06b8fa8a3e0b867ef2a 100644 (file)
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -535,7 +535,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
                                         xReturn = XMLRPC_CreateValueBoolean(key, Z_TYPE(val) == IS_TRUE);
                                         break;
                                 case xmlrpc_int:
-                                       convert_to_long(&val);
+                                       ZVAL_LONG(&val, zval_get_long(&val));
                                         xReturn = XMLRPC_CreateValueInt(key, Z_LVAL(val));
                                         break;
                                 case xmlrpc_double:
author	Xinchen Hui <laruence@gmail.com>
	Tue, 31 May 2016 03:44:20 +0000 (11:44 +0800)
committer	Xinchen Hui <laruence@gmail.com>
	Tue, 31 May 2016 03:44:20 +0000 (11:44 +0800)
NEWS		patch \| blob \| history
ext/xmlrpc/tests/bug72155.phpt	[new file with mode: 0644]	patch \| blob
ext/xmlrpc/xmlrpc-epi-php.c		patch \| blob \| history