diff options
Diffstat (limited to 'CVE-2014-3668.patch')
| -rw-r--r-- | CVE-2014-3668.patch | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/CVE-2014-3668.patch b/CVE-2014-3668.patch deleted file mode 100644 index c2f622fcd8ee..000000000000 --- a/CVE-2014-3668.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 44035de79f5b9646064d9bdd0329a946b0c5372a Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev <stas@php.net> -Date: Sun, 28 Sep 2014 17:33:44 -0700 -Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib - ---- - ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 ++++++++----- - ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 52 insertions(+), 5 deletions(-) - create mode 100644 ext/xmlrpc/tests/bug68027.phpt - -diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c -index ce70c2a..b766a54 100644 ---- a/ext/xmlrpc/libxmlrpc/xmlrpc.c -+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c -@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { - n = 10; - tm.tm_mon = 0; - for(i = 0; i < 2; i++) { -- XMLRPC_IS_NUMBER(text[i]) -+ XMLRPC_IS_NUMBER(text[i+4]) - tm.tm_mon += (text[i+4]-'0')*n; - n /= 10; - } - tm.tm_mon --; -+ if(tm.tm_mon < 0 || tm.tm_mon > 11) { -+ return -1; -+ } - - n = 10; - tm.tm_mday = 0; - for(i = 0; i < 2; i++) { -- XMLRPC_IS_NUMBER(text[i]) -+ XMLRPC_IS_NUMBER(text[i+6]) - tm.tm_mday += (text[i+6]-'0')*n; - n /= 10; - } -@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { - n = 10; - tm.tm_hour = 0; - for(i = 0; i < 2; i++) { -- XMLRPC_IS_NUMBER(text[i]) -+ XMLRPC_IS_NUMBER(text[i+9]) - tm.tm_hour += (text[i+9]-'0')*n; - n /= 10; - } -@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { - n = 10; - tm.tm_min = 0; - for(i = 0; i < 2; i++) { -- XMLRPC_IS_NUMBER(text[i]) -+ XMLRPC_IS_NUMBER(text[i+12]) - tm.tm_min += (text[i+12]-'0')*n; - n /= 10; - } -@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { - n = 10; - tm.tm_sec = 0; - for(i = 0; i < 2; i++) { -- XMLRPC_IS_NUMBER(text[i]) -+ XMLRPC_IS_NUMBER(text[i+15]) - tm.tm_sec += (text[i+15]-'0')*n; - n /= 10; - } -diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt -new file mode 100644 -index 0000000..a5c96f1 ---- /dev/null -+++ b/ext/xmlrpc/tests/bug68027.phpt -@@ -0,0 +1,44 @@ -+--TEST-- -+Bug #68027 (buffer overflow in mkgmtime() function) -+--SKIPIF-- -+<?php -+if (!extension_loaded("xmlrpc")) print "skip"; -+?> -+--FILE-- -+<?php -+ -+$d = '6-01-01 20:00:00'; -+xmlrpc_set_type($d, 'datetime'); -+var_dump($d); -+$datetime = "2001-0-08T21:46:40-0400"; -+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); -+print_r($obj); -+ -+$datetime = "34770-0-08T21:46:40-0400"; -+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); -+print_r($obj); -+ -+echo "Done\n"; -+?> -+--EXPECTF-- -+object(stdClass)#1 (3) { -+ ["scalar"]=> -+ string(16) "6-01-01 20:00:00" -+ ["xmlrpc_type"]=> -+ string(8) "datetime" -+ ["timestamp"]=> -+ int(%d) -+} -+stdClass Object -+( -+ [scalar] => 2001-0-08T21:46:40-0400 -+ [xmlrpc_type] => datetime -+ [timestamp] => %s -+) -+stdClass Object -+( -+ [scalar] => 34770-0-08T21:46:40-0400 -+ [xmlrpc_type] => datetime -+ [timestamp] => %d -+) -+Done --- -2.1.0 - |