From 502b187ae8cbd24f4d8c05b8a3c4e52079314bbd Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sun, 21 Oct 2018 12:06:55 +0200 Subject: [PATCH] Fix #75282: xmlrpc_encode_request() crashes Since we allow ext/xmlrpc to be built against a system libxmlrpc(-epi), we must not `efree` memory which has been allocated via `malloc`. To distinguish bundled and system libxmlrpc(-epi) we introduce the macro `HAVE_XMLRPC_BUNDLED` (analogous to how it is done by ext/gd). We deliberately keep the ugly `#ifdef`s, instead of tucking them away in an `XMLRPC_FREE()` macro, to not forget that it is a bad idea to fork and bundle a library, but to also allow building against an unpatched system lib. --- NEWS | 3 +++ ext/xmlrpc/config.m4 | 1 + ext/xmlrpc/config.w32 | 2 +- ext/xmlrpc/xmlrpc-epi-php.c | 12 ++++++++++++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 5530dade6d..c009e477e5 100644 --- a/NEWS +++ b/NEWS @@ -55,6 +55,9 @@ PHP NEWS . Fixed bug #30875 (xml_parse_into_struct() does not resolve entities). (cmb) . Add support for getting SKIP_TAGSTART and SKIP_WHITE options. (cmb) +- XMLRPC: + . Fixed bug #75282 (xmlrpc_encode_request() crashes). (cmb) + 11 Oct 2018, PHP 7.2.11 - Core: diff --git a/ext/xmlrpc/config.m4 b/ext/xmlrpc/config.m4 index b51b0d7afd..32042ba4d8 100644 --- a/ext/xmlrpc/config.m4 +++ b/ext/xmlrpc/config.m4 @@ -89,6 +89,7 @@ if test "$PHP_XMLRPC" = "yes"; then -I@ext_srcdir@/libxmlrpc -DVERSION="0.50") PHP_ADD_BUILD_DIR($ext_builddir/libxmlrpc) XMLRPC_MODULE_TYPE=builtin + AC_DEFINE(HAVE_XMLRPC_BUNDLED, 1, [ ]) elif test "$PHP_XMLRPC" != "no"; then diff --git a/ext/xmlrpc/config.w32 b/ext/xmlrpc/config.w32 index 49acc247f6..99211a5fd0 100644 --- a/ext/xmlrpc/config.w32 +++ b/ext/xmlrpc/config.w32 @@ -13,7 +13,7 @@ if (PHP_XMLRPC != "no") { ADD_SOURCES(configure_module_dirname + "/libxmlrpc", "base64.c simplestring.c xml_to_dandarpc.c \ xmlrpc_introspection.c encodings.c system_methods.c xml_to_xmlrpc.c \ queue.c xml_element.c xmlrpc.c xml_to_soap.c", "xmlrpc"); - + AC_DEFINE("HAVE_XMLRPC_BUNDLED", 1); } else { WARNING("xmlrpc support can't be enabled, libraries or headers are missing") PHP_XMLRPC = "no"; diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 97e04eb2ca..36fbff123c 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -701,7 +701,11 @@ PHP_FUNCTION(xmlrpc_encode_request) outBuf = XMLRPC_REQUEST_ToXML(xRequest, 0); if (outBuf) { RETVAL_STRING(outBuf); +#ifdef HAVE_XMLRPC_BUNDLED efree(outBuf); +#else + free(outBuf); +#endif } XMLRPC_RequestFree(xRequest, 1); } @@ -735,7 +739,11 @@ PHP_FUNCTION(xmlrpc_encode) if (xOut) { if (outBuf) { RETVAL_STRING(outBuf); +#ifdef HAVE_XMLRPC_BUNDLED efree(outBuf); +#else + free(outBuf); +#endif } /* cleanup */ XMLRPC_CleanupValue(xOut); @@ -1102,7 +1110,11 @@ PHP_FUNCTION(xmlrpc_server_call_method) outBuf = XMLRPC_REQUEST_ToXML(xResponse, &buf_len); if (outBuf) { RETVAL_STRINGL(outBuf, buf_len); +#ifdef HAVE_XMLRPC_BUNDLED efree(outBuf); +#else + free(outBuf); +#endif } /* cleanup after ourselves. what a sty! */ XMLRPC_RequestFree(xResponse, 0); -- 2.40.0