MFB: Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime

values).
2024-09-23 19:07:26 +00:00 · 2007-09-18 19:52:27 +00:00 · 2007-09-18 19:52:27 +00:00 · c701d46a4b
commit c701d46a4b
parent 99dac437ea
3 changed files with 31 additions and 1 deletions
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@ -43,6 +43,9 @@ static const char rcsid[] = "#(@) $Id$";
 *   9/1999 - 10/2000
 * HISTORY
 *   $Log$
+ *   Revision 1.11  2007/06/07 09:07:12  tony2001
+ *   php_localtime_r() checks
+ *
 *   Revision 1.10  2007/01/01 09:29:33  sebastian
 *   Bump year.
 *
@ -176,7 +179,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
 			}
 			p++;
 		}
-		text = buf;
+			text = buf;
 	}


@ -186,15 +189,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
      return -1;
   }

+#define XMLRPC_IS_NUMBER(x) if (x < '0' || x > '9') return -1;
+
   n = 1000;
   tm.tm_year = 0;
   for(i = 0; i < 4; i++) {
+      XMLRPC_IS_NUMBER(text[i])
      tm.tm_year += (text[i]-'0')*n;
      n /= 10;
   }
   n = 10;
   tm.tm_mon = 0;
   for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
      tm.tm_mon += (text[i+4]-'0')*n;
      n /= 10;
   }
@ -203,6 +210,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_mday = 0;
   for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
      tm.tm_mday += (text[i+6]-'0')*n;
      n /= 10;
   }
@ -210,6 +218,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_hour = 0;
   for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
      tm.tm_hour += (text[i+9]-'0')*n;
      n /= 10;
   }
@ -217,6 +226,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_min = 0;
   for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
      tm.tm_min += (text[i+12]-'0')*n;
      n /= 10;
   }
@ -224,6 +234,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
   n = 10;
   tm.tm_sec = 0;
   for(i = 0; i < 2; i++) {
+      XMLRPC_IS_NUMBER(text[i])
      tm.tm_sec += (text[i+15]-'0')*n;
      n /= 10;
   }
--- a/ext/xmlrpc/tests/bug42189.phpt
+++ b/ext/xmlrpc/tests/bug42189.phpt
@ -0,0 +1,15 @@
+--TEST--
+Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates)
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+$a = '~~~~~~~~~~~~~~~~~~';
+$ok = xmlrpc_set_type($a, 'datetime');
+var_dump($ok);
+
+echo "Done\n";
+?>
+--EXPECT--	
+bool(false)
+Done
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@ -1313,8 +1313,12 @@ int set_zval_xmlrpc_type(zval* value, XMLRPC_VALUE_TYPE newtype) /* {{{ */
 						if(SUCCESS == zend_hash_update(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void *) &type, sizeof(zval *), NULL)) {
 							bSuccess = zend_hash_update(Z_OBJPROP_P(value), OBJECT_VALUE_TS_ATTR, sizeof(OBJECT_VALUE_TS_ATTR), (void *) &ztimestamp, sizeof(zval *), NULL);
 						}
+					} else {
+						zval_ptr_dtor(&type);
 					}
 					XMLRPC_CleanupValue(v);
+				} else {
+					zval_ptr_dtor(&type);
 				}
 			}
 			else {