From c701d46a4b1f883af0ea788d495b98613dd1c302 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Tue, 18 Sep 2007 19:52:27 +0000 Subject: [PATCH] MFB: Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). --- ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++++++- ext/xmlrpc/tests/bug42189.phpt | 15 +++++++++++++++ ext/xmlrpc/xmlrpc-epi-php.c | 4 ++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 ext/xmlrpc/tests/bug42189.phpt diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index 3c192d93f67..cf1f0a51674 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -43,6 +43,9 @@ static const char rcsid[] = "#(@) $Id$"; * 9/1999 - 10/2000 * HISTORY * $Log$ + * Revision 1.11 2007/06/07 09:07:12 tony2001 + * php_localtime_r() checks + * * Revision 1.10 2007/01/01 09:29:33 sebastian * Bump year. * @@ -176,7 +179,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { } p++; } - text = buf; + text = buf; } @@ -186,15 +189,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { return -1; } +#define XMLRPC_IS_NUMBER(x) if (x < '0' || x > '9') return -1; + n = 1000; tm.tm_year = 0; for(i = 0; i < 4; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_year += (text[i]-'0')*n; n /= 10; } n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } @@ -203,6 +210,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -210,6 +218,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -217,6 +226,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -224,6 +234,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug42189.phpt b/ext/xmlrpc/tests/bug42189.phpt new file mode 100644 index 00000000000..55e726cf687 --- /dev/null +++ b/ext/xmlrpc/tests/bug42189.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false) +Done diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 8c891d4659d..a49448f224c 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -1313,8 +1313,12 @@ int set_zval_xmlrpc_type(zval* value, XMLRPC_VALUE_TYPE newtype) /* {{{ */ if(SUCCESS == zend_hash_update(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void *) &type, sizeof(zval *), NULL)) { bSuccess = zend_hash_update(Z_OBJPROP_P(value), OBJECT_VALUE_TS_ATTR, sizeof(OBJECT_VALUE_TS_ATTR), (void *) &ztimestamp, sizeof(zval *), NULL); } + } else { + zval_ptr_dtor(&type); } XMLRPC_CleanupValue(v); + } else { + zval_ptr_dtor(&type); } } else {