diff options
Diffstat (limited to 'ext/xmlrpc')
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/xmlrpc.c | 13 | ||||
| -rw-r--r-- | ext/xmlrpc/tests/bug42189.phpt | 15 | ||||
| -rw-r--r-- | ext/xmlrpc/xmlrpc-epi-php.c | 8 |
3 files changed, 33 insertions, 3 deletions
diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index d263ab6878..d82f270b35 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -43,6 +43,9 @@ static const char rcsid[] = "#(@) $Id$"; * 9/1999 - 10/2000 * HISTORY * $Log$ + * Revision 1.8.4.2 2007/06/07 09:07:36 tony2001 + * MFH: php_localtime_r() checks + * * Revision 1.8.4.1 2006/11/30 16:38:37 iliaa * last set of zts fixes * @@ -173,7 +176,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { } p++; } - text = buf; + text = buf; } @@ -183,15 +186,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { return -1; } +#define XMLRPC_IS_NUMBER(x) if (x < '0' || x > '9') return -1; + n = 1000; tm.tm_year = 0; for(i = 0; i < 4; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_year += (text[i]-'0')*n; n /= 10; } n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } @@ -200,6 +207,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -207,6 +215,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -214,6 +223,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -221,6 +231,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { + XMLRPC_IS_NUMBER(text[i]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug42189.phpt b/ext/xmlrpc/tests/bug42189.phpt new file mode 100644 index 0000000000..55e726cf68 --- /dev/null +++ b/ext/xmlrpc/tests/bug42189.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #42189 (xmlrpc_get_type() crashes PHP on invalid dates) +--SKIPIF-- +<?php if (!extension_loaded("xmlrpc")) print "skip"; ?> +--FILE-- +<?php +$a = '~~~~~~~~~~~~~~~~~~'; +$ok = xmlrpc_set_type($a, 'datetime'); +var_dump($ok); + +echo "Done\n"; +?> +--EXPECT-- +bool(false) +Done diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index 25bbc54a7c..c0918a6cbd 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -1325,9 +1325,13 @@ int set_zval_xmlrpc_type(zval* value, XMLRPC_VALUE_TYPE newtype) if(SUCCESS == zend_hash_update(Z_OBJPROP_P(value), OBJECT_TYPE_ATTR, sizeof(OBJECT_TYPE_ATTR), (void *) &type, sizeof(zval *), NULL)) { bSuccess = zend_hash_update(Z_OBJPROP_P(value), OBJECT_VALUE_TS_ATTR, sizeof(OBJECT_VALUE_TS_ATTR), (void *) &ztimestamp, sizeof(zval *), NULL); } - } + } else { + zval_ptr_dtor(&type); + } XMLRPC_CleanupValue(v); - } + } else { + zval_ptr_dtor(&type); + } } else { convert_to_object(value); |