From 785b9d76f8bb373a05b52b8c60e391eb0e7b6263 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Tue, 18 Sep 2007 19:49:54 +0000 Subject: [PATCH] Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). --- NEWS | 2 ++ ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++++++- ext/xmlrpc/tests/bug42189.phpt | 15 +++++++++++++++ ext/xmlrpc/xmlrpc-epi-php.c | 8 ++++++-- 4 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 ext/xmlrpc/tests/bug42189.phpt diff --git a/NEWS b/NEWS index 8d5df81b9e..7a2c79156d 100644 --- a/NEWS +++ b/NEWS @@ -50,6 +50,8 @@ PHP NEWS - Fixed bug #42359 (xsd:list type not parsed). (Dmitry) - Fixed bug #42326 (SoapServer crash). (Dmitry) - Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) +- Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime + values). (Ilia) - Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) - Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index d263ab6878..d82f270b35 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -43,6 +43,9 @@ static const char rcsid[] = "#(@) $Id$"; * 9/1999 - 10/2000 * HISTORY * $Log$ + * Revision 1.8.4.2 2007/06/07 09:07:36 tony2001 + * MFH: php_localtime_r() checks + * * Revision 1.8.4.1 2006/11/30 16:38:37 iliaa * last set of zts fixes * @@ -173,7 +176,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { } p++; } - text = buf; + text = buf; } @@ -183,15 +186,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { return -1; } +#define XMLRPC_IS_NUMBER(x) if (x < '0' || x > '9') return -1; + n = 1000; tm.tm_year = 0; for(i = 0; i < 4; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_year += (text[i]-'0')*n; n /= 10; } n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } @@ -200,6 +207,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -207,6 +215,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -214,6 +223,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -221,6 +231,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug42189.phpt b/ext/xmlrpc/tests/bug42189.phpt new file mode 100644 index 0000000000..55e726cf68 --- /dev/null +++ b/ext/xmlrpc/tests/bug42189.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false) +Done diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 25bbc54a7c..c0918a6cbd 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -1325,9 +1325,13 @@ int set_zval_xmlrpc_type(zval* value, XMLRPC_VALUE_TYPE newtype) if(SUCCESS == zend_hash_update(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void *) &type, sizeof(zval *), NULL)) { bSuccess = zend_hash_update(Z_OBJPROP_P(value), OBJECT_VALUE_TS_ATTR, sizeof(OBJECT_VALUE_TS_ATTR), (void *) &ztimestamp, sizeof(zval *), NULL); } - } + } else { + zval_ptr_dtor(&type); + } XMLRPC_CleanupValue(v); - } + } else { + zval_ptr_dtor(&type); + } } else { convert_to_object(value); -- 2.50.1