From: Ilia Alshanetsky Date: Tue, 18 Sep 2007 19:52:27 +0000 (+0000) Subject: MFB: Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime X-Git-Tag: RELEASE_2_0_0a1~1800 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c701d46a4b1f883af0ea788d495b98613dd1c302;p=php MFB: Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). --- diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index 3c192d93f6..cf1f0a5167 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -43,6 +43,9 @@ static const char rcsid[] = "#(@) $Id$"; * 9/1999 - 10/2000 * HISTORY * $Log$ + * Revision 1.11 2007/06/07 09:07:12 tony2001 + * php_localtime_r() checks + * * Revision 1.10 2007/01/01 09:29:33 sebastian * Bump year. * @@ -176,7 +179,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { } p++; } - text = buf; + text = buf; } @@ -186,15 +189,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { return -1; } +#define XMLRPC_IS_NUMBER(x) if (x < '0' || x > '9') return -1; + n = 1000; tm.tm_year = 0; for(i = 0; i < 4; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_year += (text[i]-'0')*n; n /= 10; } n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } @@ -203,6 +210,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -210,6 +218,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -217,6 +226,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -224,6 +234,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug42189.phpt b/ext/xmlrpc/tests/bug42189.phpt new file mode 100644 index 0000000000..55e726cf68 --- /dev/null +++ b/ext/xmlrpc/tests/bug42189.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false) +Done diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 8c891d4659..a49448f224 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -1313,8 +1313,12 @@ int set_zval_xmlrpc_type(zval* value, XMLRPC_VALUE_TYPE newtype) /* {{{ */ if(SUCCESS == zend_hash_update(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void *) &type, sizeof(zval *), NULL)) { bSuccess = zend_hash_update(Z_OBJPROP_P(value), OBJECT_VALUE_TS_ATTR, sizeof(OBJECT_VALUE_TS_ATTR), (void *) &ztimestamp, sizeof(zval *), NULL); } + } else { + zval_ptr_dtor(&type); } XMLRPC_CleanupValue(v); + } else { + zval_ptr_dtor(&type); } } else {