php/sme8/php-5.3.3-CVE-2014-3668.patch

From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 28 Sep 2014 17:33:44 -0700
Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib

---
 NEWS                           |  5 ++++-
 ext/xmlrpc/libxmlrpc/xmlrpc.c  | 13 ++++++++-----
 ext/xmlrpc/tests/bug68027.phpt | 44 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 6 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug68027.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index ce70c2a..b766a54 100644
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
    tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+       return -1;
+   }
 
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }
diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
new file mode 100644
index 0000000..a5c96f1
--- /dev/null
+++ b/ext/xmlrpc/tests/bug68027.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #68027 (buffer overflow in mkgmtime() function)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+
+$d = '6-01-01 20:00:00';
+xmlrpc_set_type($d, 'datetime');
+var_dump($d);
+$datetime = "2001-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+$datetime = "34770-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+echo "Done\n";
+?>
+--EXPECTF--    
+object(stdClass)#1 (3) {
+  ["scalar"]=>
+  string(16) "6-01-01 20:00:00"
+  ["xmlrpc_type"]=>
+  string(8) "datetime"
+  ["timestamp"]=>
+  int(%d)
+}
+stdClass Object
+(
+    [scalar] => 2001-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %s
+)
+stdClass Object
+(
+    [scalar] => 34770-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %d
+)
+Done
-- 
2.1.0

1	vip-ire	1.1	From 88412772d295ebf7dd34409534507dc9bcac726e Mon Sep 17 00:00:00 2001
2			From: Stanislav Malyshev <stas@php.net>
3			Date: Sun, 28 Sep 2014 17:33:44 -0700
4			Subject: [PATCH] Fix bug #68027 - fix date parsing in XMLRPC lib
5
6			---
7			NEWS \| 5 ++++-
8			ext/xmlrpc/libxmlrpc/xmlrpc.c \| 13 ++++++++-----
9			ext/xmlrpc/tests/bug68027.phpt \| 44 ++++++++++++++++++++++++++++++++++++++++++
10			3 files changed, 56 insertions(+), 6 deletions(-)
11			create mode 100644 ext/xmlrpc/tests/bug68027.phpt
12
13			diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
14			index ce70c2a..b766a54 100644
15			--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
16			+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
17			@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char text, time_t value) {
18			n = 10;
19			tm.tm_mon = 0;
20			for(i = 0; i < 2; i++) {
21			- XMLRPC_IS_NUMBER(text[i])
22			+ XMLRPC_IS_NUMBER(text[i+4])
23			tm.tm_mon += (text[i+4]-'0')*n;
24			n /= 10;
25			}
26			tm.tm_mon --;
27			+ if(tm.tm_mon < 0 \|\| tm.tm_mon > 11) {
28			+ return -1;
29			+ }
30
31			n = 10;
32			tm.tm_mday = 0;
33			for(i = 0; i < 2; i++) {
34			- XMLRPC_IS_NUMBER(text[i])
35			+ XMLRPC_IS_NUMBER(text[i+6])
36			tm.tm_mday += (text[i+6]-'0')*n;
37			n /= 10;
38			}
39			@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char text, time_t value) {
40			n = 10;
41			tm.tm_hour = 0;
42			for(i = 0; i < 2; i++) {
43			- XMLRPC_IS_NUMBER(text[i])
44			+ XMLRPC_IS_NUMBER(text[i+9])
45			tm.tm_hour += (text[i+9]-'0')*n;
46			n /= 10;
47			}
48			@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char text, time_t value) {
49			n = 10;
50			tm.tm_min = 0;
51			for(i = 0; i < 2; i++) {
52			- XMLRPC_IS_NUMBER(text[i])
53			+ XMLRPC_IS_NUMBER(text[i+12])
54			tm.tm_min += (text[i+12]-'0')*n;
55			n /= 10;
56			}
57			@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char text, time_t value) {
58			n = 10;
59			tm.tm_sec = 0;
60			for(i = 0; i < 2; i++) {
61			- XMLRPC_IS_NUMBER(text[i])
62			+ XMLRPC_IS_NUMBER(text[i+15])
63			tm.tm_sec += (text[i+15]-'0')*n;
64			n /= 10;
65			}
66			diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
67			new file mode 100644
68			index 0000000..a5c96f1
69			--- /dev/null
70			+++ b/ext/xmlrpc/tests/bug68027.phpt
71			@@ -0,0 +1,44 @@
72			+--TEST--
73			+Bug #68027 (buffer overflow in mkgmtime() function)
74			+--SKIPIF--
75			+<?php
76			+if (!extension_loaded("xmlrpc")) print "skip";
77			+?>
78			+--FILE--
79			+<?php
80			+
81			+$d = '6-01-01 20:00:00';
82			+xmlrpc_set_type($d, 'datetime');
83			+var_dump($d);
84			+$datetime = "2001-0-08T21:46:40-0400";
85			+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
86			+print_r($obj);
87			+
88			+$datetime = "34770-0-08T21:46:40-0400";
89			+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
90			+print_r($obj);
91			+
92			+echo "Done\n";
93			+?>
94			+--EXPECTF--
95			+object(stdClass)#1 (3) {
96			+ ["scalar"]=>
97			+ string(16) "6-01-01 20:00:00"
98			+ ["xmlrpc_type"]=>
99			+ string(8) "datetime"
100			+ ["timestamp"]=>
101			+ int(%d)
102			+}
103			+stdClass Object
104			+(
105			+ [scalar] => 2001-0-08T21:46:40-0400
106			+ [xmlrpc_type] => datetime
107			+ [timestamp] => %s
108			+)
109			+stdClass Object
110			+(
111			+ [scalar] => 34770-0-08T21:46:40-0400
112			+ [xmlrpc_type] => datetime
113			+ [timestamp] => %d
114			+)
115			+Done
116			--
117			2.1.0
118