[packages/php.git] / php-5.3.3-CVE-2014-3668.patch

From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 17:33:44 -0700
Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib

---
 NEWS                           |  5 ++++-
 ext/xmlrpc/libxmlrpc/xmlrpc.c  | 13 ++++++++-----
 ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 6 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug68027.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index ce70c2a..b766a54 100644
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
    tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+       return -1;
+   }
 
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }
diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
new file mode 100644
index 0000000..a5c96f1
--- /dev/null
+++ b/ext/xmlrpc/tests/bug68027.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #68027 (buffer overflow in mkgmtime() function)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+
+$d = '6-01-01 20:00:00';
+xmlrpc_set_type($d, 'datetime');
+var_dump($d);
+$datetime = "2001-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+$datetime = "34770-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(stdClass)#1 (3) {
+  ["scalar"]=>
+  string(16) "6-01-01 20:00:00"
+  ["xmlrpc_type"]=>
+  string(8) "datetime"
+  ["timestamp"]=>
+  int(%d)
+}
+stdClass Object
+(
+    [scalar] => 2001-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %s
+)
+stdClass Object
+(
+    [scalar] => 34770-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %d
+)
+Done
-- 
2.1.0
Commit	Line	Data
9fd17760 ER	1	From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
	2	From: Stanislav Malyshev <stas@php.net>
	3	Date: Sun, 28 Sep 2014 17:33:44 -0700
	4	Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
	5
	6	---
	7	NEWS \| 5 ++++-
	8	ext/xmlrpc/libxmlrpc/xmlrpc.c \| 13 ++++++++-----
	9	ext/xmlrpc/tests/bug68027.phpt \| 44 ++++++++++++++++++++++++++++++++++++++++++
	10	3 files changed, 56 insertions(+), 6 deletions(-)
	11	create mode 100644 ext/xmlrpc/tests/bug68027.phpt
	12
	13	diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
	14	index ce70c2a..b766a54 100644
	15	--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
	16	+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
	17	@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char text, time_t value) {
	18	n = 10;
	19	tm.tm_mon = 0;
	20	for(i = 0; i < 2; i++) {
	21	- XMLRPC_IS_NUMBER(text[i])
	22	+ XMLRPC_IS_NUMBER(text[i+4])
	23	tm.tm_mon += (text[i+4]-'0')*n;
	24	n /= 10;
	25	}
	26	tm.tm_mon --;
	27	+ if(tm.tm_mon < 0 \|\| tm.tm_mon > 11) {
	28	+ return -1;
	29	+ }
	30
	31	n = 10;
	32	tm.tm_mday = 0;
	33	for(i = 0; i < 2; i++) {
	34	- XMLRPC_IS_NUMBER(text[i])
	35	+ XMLRPC_IS_NUMBER(text[i+6])
	36	tm.tm_mday += (text[i+6]-'0')*n;
	37	n /= 10;
	38	}
	39	@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char text, time_t value) {
	40	n = 10;
	41	tm.tm_hour = 0;
	42	for(i = 0; i < 2; i++) {
	43	- XMLRPC_IS_NUMBER(text[i])
	44	+ XMLRPC_IS_NUMBER(text[i+9])
	45	tm.tm_hour += (text[i+9]-'0')*n;
	46	n /= 10;
	47	}
	48	@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char text, time_t value) {
	49	n = 10;
	50	tm.tm_min = 0;
	51	for(i = 0; i < 2; i++) {
	52	- XMLRPC_IS_NUMBER(text[i])
	53	+ XMLRPC_IS_NUMBER(text[i+12])
	54	tm.tm_min += (text[i+12]-'0')*n;
	55	n /= 10;
	56	}
	57	@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char text, time_t value) {
	58	n = 10;
	59	tm.tm_sec = 0;
	60	for(i = 0; i < 2; i++) {
	61	- XMLRPC_IS_NUMBER(text[i])
	62	+ XMLRPC_IS_NUMBER(text[i+15])
	63	tm.tm_sec += (text[i+15]-'0')*n;
	64	n /= 10;
65	}
66	diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
67	new file mode 100644
68	index 0000000..a5c96f1
69	--- /dev/null
70	+++ b/ext/xmlrpc/tests/bug68027.phpt
71	@@ -0,0 +1,44 @@
72	+--TEST--
73	+Bug #68027 (buffer overflow in mkgmtime() function)
74	+--SKIPIF--
75	+<?php
76	+if (!extension_loaded("xmlrpc")) print "skip";
77	+?>
78	+--FILE--
79	+<?php
80	+
81	+$d = '6-01-01 20:00:00';
82	+xmlrpc_set_type($d, 'datetime');
83	+var_dump($d);
84	+$datetime = "2001-0-08T21:46:40-0400";
85	+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
86	+print_r($obj);
87	+
88	+$datetime = "34770-0-08T21:46:40-0400";
89	+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
90	+print_r($obj);
91	+
92	+echo "Done\n";
93	+?>
94	+--EXPECTF--
95	+object(stdClass)#1 (3) {
96	+ ["scalar"]=>
97	+ string(16) "6-01-01 20:00:00"
98	+ ["xmlrpc_type"]=>
99	+ string(8) "datetime"
100	+ ["timestamp"]=>
101	+ int(%d)
102	+}
103	+stdClass Object
104	+(
105	+ [scalar] => 2001-0-08T21:46:40-0400
106	+ [xmlrpc_type] => datetime
107	+ [timestamp] => %s
108	+)
109	+stdClass Object
110	+(
111	+ [scalar] => 34770-0-08T21:46:40-0400
112	+ [xmlrpc_type] => datetime
113	+ [timestamp] => %d
114	+)
115	+Done
116	--
117	2.1.0
118