Fix #75282: xmlrpc_encode_request() crashes

Since we allow ext/xmlrpc to be built against a system libxmlrpc(-epi), we must not `efree` memory which has been allocated via `malloc`. To distinguish bundled and system libxmlrpc(-epi) we introduce the macro `HAVE_XMLRPC_BUNDLED` (analogous to how it is done by ext/gd). We deliberately keep the ugly `#ifdef`s, instead of tucking them away in an `XMLRPC_FREE()` macro, to not forget that it is a bad idea to fork and bundle a library, but to also allow building against an unpatched system lib.
php · Oct 21, 2018 · 502b187 · 502b187
1 parent ba43d5a
commit 502b187
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -55,6 +55,9 @@ PHP                                                                        NEWS
   . Fixed bug #30875 (xml_parse_into_struct() does not resolve entities). (cmb)
   . Add support for getting SKIP_TAGSTART and SKIP_WHITE options. (cmb)
 
+- XMLRPC:
+  . Fixed bug #75282 (xmlrpc_encode_request() crashes). (cmb)
+
 11 Oct 2018, PHP 7.2.11
 
 - Core:

diff --git a/ext/xmlrpc/config.m4 b/ext/xmlrpc/config.m4
@@ -89,6 +89,7 @@ if test "$PHP_XMLRPC" = "yes"; then
           -I@ext_srcdir@/libxmlrpc -DVERSION="0.50")
   PHP_ADD_BUILD_DIR($ext_builddir/libxmlrpc)
   XMLRPC_MODULE_TYPE=builtin
+  AC_DEFINE(HAVE_XMLRPC_BUNDLED, 1, [ ])
 
 elif test "$PHP_XMLRPC" != "no"; then
 

diff --git a/ext/xmlrpc/config.w32 b/ext/xmlrpc/config.w32
@@ -13,7 +13,7 @@ if (PHP_XMLRPC != "no") {
 		ADD_SOURCES(configure_module_dirname + "/libxmlrpc", "base64.c simplestring.c xml_to_dandarpc.c \
 		xmlrpc_introspection.c encodings.c system_methods.c xml_to_xmlrpc.c \
 		queue.c xml_element.c xmlrpc.c xml_to_soap.c", "xmlrpc");
-
+		AC_DEFINE("HAVE_XMLRPC_BUNDLED", 1);
 	} else {
 		WARNING("xmlrpc support can't be enabled, libraries or headers are missing")
 		PHP_XMLRPC = "no";

diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -701,7 +701,11 @@ PHP_FUNCTION(xmlrpc_encode_request)
 			outBuf = XMLRPC_REQUEST_ToXML(xRequest, 0);
 			if (outBuf) {
 				RETVAL_STRING(outBuf);
+#ifdef HAVE_XMLRPC_BUNDLED
 				efree(outBuf);
+#else
+				free(outBuf);
+#endif
 			}
 			XMLRPC_RequestFree(xRequest, 1);
 		}
@@ -735,7 +739,11 @@ PHP_FUNCTION(xmlrpc_encode)
 		if (xOut) {
 			if (outBuf) {
 				RETVAL_STRING(outBuf);
+#ifdef HAVE_XMLRPC_BUNDLED
 				efree(outBuf);
+#else
+				free(outBuf);
+#endif
 			}
 			/* cleanup */
 			XMLRPC_CleanupValue(xOut);
@@ -1102,7 +1110,11 @@ PHP_FUNCTION(xmlrpc_server_call_method)
 				outBuf = XMLRPC_REQUEST_ToXML(xResponse, &buf_len);
 				if (outBuf) {
 					RETVAL_STRINGL(outBuf, buf_len);
+#ifdef HAVE_XMLRPC_BUNDLED
 					efree(outBuf);
+#else
+					free(outBuf);
+#endif
 				}
 				/* cleanup after ourselves.  what a sty! */
 				XMLRPC_RequestFree(xResponse, 0);