Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #72749: wddx_deserialize allows illegal memory access
  • Loading branch information
smalyshev committed Aug 17, 2016
1 parent f1a0b7d commit 426aeb2
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 4 deletions.
34 changes: 34 additions & 0 deletions ext/wddx/tests/bug72749.phpt
@@ -0,0 +1,34 @@
--TEST--
Bug #72749: wddx_deserialize allows illegal memory access
--SKIPIF--
<?php
if (!extension_loaded('wddx')) {
die('skip. wddx not available');
}
?>
--FILE--
<?php
$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
<header/>
<data>
<struct>
<var name='aDateTime3'>
<dateTime>2\r2004-09-10T05:52:49+00</dateTime>
</var>
</struct>
</data>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);
var_dump($array);
?>
--EXPECT--
array(1) {
["aDateTime3"]=>
string(24) "2
2004-09-10T05:52:49+00"
}
16 changes: 12 additions & 4 deletions ext/wddx/wddx.c
Expand Up @@ -1123,19 +1123,27 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
case ST_DATETIME: {
char *tmp;

if (Z_TYPE_P(ent->data) == IS_STRING) {
tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1);
memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data));
memcpy(tmp + Z_STRLEN_P(ent->data), s, len);
len += Z_STRLEN_P(ent->data);
efree(Z_STRVAL_P(ent->data));
Z_TYPE_P(ent->data) = IS_LONG;
} else {
tmp = emalloc(len + 1);
memcpy(tmp, s, len);
}
tmp[len] = '\0';

Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL);
/* date out of range < 1969 or > 2038 */
if (Z_LVAL_P(ent->data) == -1) {
Z_TYPE_P(ent->data) = IS_STRING;
Z_STRLEN_P(ent->data) = len;
Z_STRVAL_P(ent->data) = estrndup(s, len);
}
ZVAL_STRINGL(ent->data, tmp, len, 0);
} else {
efree(tmp);
}
}
break;

default:
Expand Down

0 comments on commit 426aeb2

Please sign in to comment.