/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2013-4113.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2013-4113.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Mon Jul 15 13:51:22 2013 UTC (11 years, 4 months ago) by slords
Branch: MAIN
CVS Tags: php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, php-5_3_3-14_el5_sme, php-5_3_3-13_el5_sme_2, php-5_3_3-17_el5_sme, HEAD
Changes since 1.1: +181 -0 lines
* Mon Jul 15 2013 Shad L. Lords <slords@mail.com> - 5.3.3-13.sme.2
- Add php53-* provides to provide compatibility
- Obsolete php-domxml and php-dom [SME: 6733]
- Update Obsoletes and Conflicts [SME: 6436]

1 From 7d163e8a0880ae8af2dd869071393e5dc07ef271 Mon Sep 17 00:00:00 2001
2 From: Rob Richards <rrichards@php.net>
3 Date: Sat, 6 Jul 2013 07:53:07 -0400
4 Subject: [PATCH] truncate results at depth of 255 to prevent corruption
5
6 ---
7 ext/xml/xml.c | 90 +++++++++++++++++++++++++++++++++--------------------------
8 1 file changed, 50 insertions(+), 40 deletions(-)
9
10 diff --git a/ext/xml/xml.c b/ext/xml/xml.c
11 index 1f0480b..9f0bc30 100644
12 --- a/ext/xml/xml.c
13 +++ b/ext/xml/xml.c
14 @@ -427,7 +427,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
15 }
16 if (parser->ltags) {
17 int inx;
18 - for (inx = 0; inx < parser->level; inx++)
19 + for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
20 efree(parser->ltags[ inx ]);
21 efree(parser->ltags);
22 }
23 @@ -905,45 +905,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
24 }
25
26 if (parser->data) {
27 - zval *tag, *atr;
28 - int atcnt = 0;
29 + if (parser->level <= XML_MAXLEVEL) {
30 + zval *tag, *atr;
31 + int atcnt = 0;
32
33 - MAKE_STD_ZVAL(tag);
34 - MAKE_STD_ZVAL(atr);
35 + MAKE_STD_ZVAL(tag);
36 + MAKE_STD_ZVAL(atr);
37
38 - array_init(tag);
39 - array_init(atr);
40 + array_init(tag);
41 + array_init(atr);
42
43 - _xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
44 + _xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
45
46 - add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
47 - add_assoc_string(tag,"type","open",1);
48 - add_assoc_long(tag,"level",parser->level);
49 + add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
50 + add_assoc_string(tag,"type","open",1);
51 + add_assoc_long(tag,"level",parser->level);
52
53 - parser->ltags[parser->level-1] = estrdup(tag_name);
54 - parser->lastwasopen = 1;
55 + parser->ltags[parser->level-1] = estrdup(tag_name);
56 + parser->lastwasopen = 1;
57
58 - attributes = (const XML_Char **) attrs;
59 + attributes = (const XML_Char **) attrs;
60
61 - while (attributes && *attributes) {
62 - att = _xml_decode_tag(parser, attributes[0]);
63 - val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
64 -
65 - add_assoc_stringl(atr,att,val,val_len,0);
66 + while (attributes && *attributes) {
67 + att = _xml_decode_tag(parser, attributes[0]);
68 + val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
69
70 - atcnt++;
71 - attributes += 2;
72 + add_assoc_stringl(atr,att,val,val_len,0);
73
74 - efree(att);
75 - }
76 + atcnt++;
77 + attributes += 2;
78
79 - if (atcnt) {
80 - zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
81 - } else {
82 - zval_ptr_dtor(&atr);
83 - }
84 + efree(att);
85 + }
86 +
87 + if (atcnt) {
88 + zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
89 + } else {
90 + zval_ptr_dtor(&atr);
91 + }
92
93 - zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
94 + zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
95 + } else if (parser->level == (XML_MAXLEVEL + 1)) {
96 + TSRMLS_FETCH();
97 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
98 + }
99 }
100
101 efree(tag_name);
102 @@ -995,7 +1000,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
103
104 efree(tag_name);
105
106 - if (parser->ltags) {
107 + if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
108 efree(parser->ltags[parser->level-1]);
109 }
110
111 @@ -1079,18 +1084,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
112 }
113 }
114
115 - MAKE_STD_ZVAL(tag);
116 -
117 - array_init(tag);
118 -
119 - _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
120 + if (parser->level <= XML_MAXLEVEL) {
121 + MAKE_STD_ZVAL(tag);
122
123 - add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
124 - add_assoc_string(tag,"value",decoded_value,0);
125 - add_assoc_string(tag,"type","cdata",1);
126 - add_assoc_long(tag,"level",parser->level);
127 + array_init(tag);
128
129 - zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
130 + _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
131 +
132 + add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
133 + add_assoc_string(tag,"value",decoded_value,0);
134 + add_assoc_string(tag,"type","cdata",1);
135 + add_assoc_long(tag,"level",parser->level);
136 +
137 + zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
138 + } else if (parser->level == (XML_MAXLEVEL + 1)) {
139 + TSRMLS_FETCH();
140 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
141 + }
142 }
143 } else {
144 efree(decoded_value);
145 --
146 1.7.11.5
147
148 From 710eee5555bc5c95692bd3c84f5d2b5d687349b6 Mon Sep 17 00:00:00 2001
149 From: =?utf8?q?Johannes=20Schl=C3=BCter?= <johannes@php.net>
150 Date: Wed, 10 Jul 2013 19:35:18 +0200
151 Subject: [PATCH] add test for bug #65236
152
153 ---
154 ext/xml/tests/bug65236.phpt | 15 +++++++++++++++
155 1 file changed, 15 insertions(+)
156 create mode 100644 ext/xml/tests/bug65236.phpt
157
158 diff --git a/ext/xml/tests/bug65236.phpt b/ext/xml/tests/bug65236.phpt
159 new file mode 100644
160 index 0000000..67b26d6
161 --- /dev/null
162 +++ b/ext/xml/tests/bug65236.phpt
163 @@ -0,0 +1,15 @@
164 +--TEST--
165 +Bug #65236 (heap corruption in xml parser)
166 +--SKIPIF--
167 +<?php
168 +require_once("skipif.inc");
169 +?>
170 +--FILE--
171 +<?php
172 +xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);
173 +
174 +echo "Done\n";
175 +?>
176 +--EXPECTF--
177 +Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated in %s on line %d
178 +Done
179 --
180 1.7.11.5
181

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed