summarylogtreecommitdiffstats
path: root/CVE-2014-3668.patch
diff options
context:
space:
mode:
authorFelix Yan2015-07-23 19:55:08 +0800
committerFelix Yan2015-07-23 19:55:08 +0800
commit46328e7f9a997f2080d9b01ea32910302ca1fbb2 (patch)
treeab71f43b4093ed44f201782a09e3b55a9aea3e32 /CVE-2014-3668.patch
downloadaur-46328e7f9a997f2080d9b01ea32910302ca1fbb2.tar.gz
addpkg: php53 5.3.29-4
Diffstat (limited to 'CVE-2014-3668.patch')
-rw-r--r--CVE-2014-3668.patch117
1 files changed, 117 insertions, 0 deletions
diff --git a/CVE-2014-3668.patch b/CVE-2014-3668.patch
new file mode 100644
index 00000000000..c2f622fcd8e
--- /dev/null
+++ b/CVE-2014-3668.patch
@@ -0,0 +1,117 @@
+From 44035de79f5b9646064d9bdd0329a946b0c5372a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 28 Sep 2014 17:33:44 -0700
+Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
+
+---
+ ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++-----
+ ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 5 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug68027.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+index ce70c2a..b766a54 100644
+--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
++++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
+@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_mon = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+4])
+ tm.tm_mon += (text[i+4]-'0')*n;
+ n /= 10;
+ }
+ tm.tm_mon --;
++ if(tm.tm_mon < 0 || tm.tm_mon > 11) {
++ return -1;
++ }
+
+ n = 10;
+ tm.tm_mday = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+6])
+ tm.tm_mday += (text[i+6]-'0')*n;
+ n /= 10;
+ }
+@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_hour = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+9])
+ tm.tm_hour += (text[i+9]-'0')*n;
+ n /= 10;
+ }
+@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_min = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+12])
+ tm.tm_min += (text[i+12]-'0')*n;
+ n /= 10;
+ }
+@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
+ n = 10;
+ tm.tm_sec = 0;
+ for(i = 0; i < 2; i++) {
+- XMLRPC_IS_NUMBER(text[i])
++ XMLRPC_IS_NUMBER(text[i+15])
+ tm.tm_sec += (text[i+15]-'0')*n;
+ n /= 10;
+ }
+diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
+new file mode 100644
+index 0000000..a5c96f1
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug68027.phpt
+@@ -0,0 +1,44 @@
++--TEST--
++Bug #68027 (buffer overflow in mkgmtime() function)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++
++$d = '6-01-01 20:00:00';
++xmlrpc_set_type($d, 'datetime');
++var_dump($d);
++$datetime = "2001-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++$datetime = "34770-0-08T21:46:40-0400";
++$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
++print_r($obj);
++
++echo "Done\n";
++?>
++--EXPECTF--
++object(stdClass)#1 (3) {
++ ["scalar"]=>
++ string(16) "6-01-01 20:00:00"
++ ["xmlrpc_type"]=>
++ string(8) "datetime"
++ ["timestamp"]=>
++ int(%d)
++}
++stdClass Object
++(
++ [scalar] => 2001-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %s
++)
++stdClass Object
++(
++ [scalar] => 34770-0-08T21:46:40-0400
++ [xmlrpc_type] => datetime
++ [timestamp] => %d
++)
++Done
+--
+2.1.0
+