Fix bug #68027 - fix date parsing in XMLRPC lib

2024-09-22 18:37:25 +00:00 · 2014-09-28 17:33:44 -07:00 · 2014-09-28 17:33:44 -07:00 · 88412772d2
commit 88412772d2
parent 82b07b62c0
3 changed files with 56 additions and 6 deletions
--- a/5
+++ b/5
@ -2,7 +2,7 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2014, PHP 5.4.34

-Fileinfo:
+- Fileinfo:
  . Fixed bug #66242 (libmagic: don't assume char is signed). (ArdB)

 - Core:
@ -12,6 +12,9 @@ PHP                                                                        NEWS
 - OpenSSL:
  . Reverted fixes for bug #41631, due to regressions. (Stas) 

+- XMLRPC:
+  . Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (Stas)
+
 18 Sep 2014, PHP 5.4.33

 - Core:
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_mon = 0;
   for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
      tm.tm_mon += (text[i+4]-'0')*n;
      n /= 10;
   }
   tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+       return -1;
+   }

   n = 10;
   tm.tm_mday = 0;
   for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
      tm.tm_mday += (text[i+6]-'0')*n;
      n /= 10;
   }
@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_hour = 0;
   for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
      tm.tm_hour += (text[i+9]-'0')*n;
      n /= 10;
   }
@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_min = 0;
   for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
      tm.tm_min += (text[i+12]-'0')*n;
      n /= 10;
   }
@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_sec = 0;
   for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
      tm.tm_sec += (text[i+15]-'0')*n;
      n /= 10;
   }
--- a/ext/xmlrpc/tests/bug68027.phpt
+++ b/ext/xmlrpc/tests/bug68027.phpt
@ -0,0 +1,44 @@
+--TEST--
+Bug #68027 (buffer overflow in mkgmtime() function)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+
+$d = '6-01-01 20:00:00';
+xmlrpc_set_type($d, 'datetime');
+var_dump($d);
+$datetime = "2001-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+$datetime = "34770-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(stdClass)#1 (3) {
+  ["scalar"]=>
+  string(16) "6-01-01 20:00:00"
+  ["xmlrpc_type"]=>
+  string(8) "datetime"
+  ["timestamp"]=>
+  int(%d)
+}
+stdClass Object
+(
+    [scalar] => 2001-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %s
+)
+stdClass Object
+(
+    [scalar] => 34770-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %d
+)
+Done