Grokbase Groups PHP php-cvs May 2016
FAQ
Commit: d1dd9b4558e9c1b2e86887f99c009063ee3eb5f4
Author: Xinchen Hui <laruence@gmail.com> Tue, 31 May 2016 11:44:20 +0800
Parents: a811b5e38d9ccbbce70658c9bc59515bf9208019
Branches: PHP-7.0 master

Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=d1dd9b4558e9c1b2e86887f99c009063ee3eb5f4

Log:
Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type)

Bugs:
https://bugs.php.net/72155

Changed paths:
   M NEWS
   A ext/xmlrpc/tests/bug72155.phpt
   M ext/xmlrpc/xmlrpc-epi-php.c


Diff:
diff --git a/NEWS b/NEWS
index 1988e93..6fc0149 100644
--- a/NEWS
+++ b/NEWS
@@ -33,10 +33,11 @@ PHP NEWS
      (Thomas Punt)

  - XML:
- . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
+ . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)

  - XMLRPC:
- . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe)
+ . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
+ (Joe, Laruence)

  - Zip:
    . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form).
diff --git a/ext/xmlrpc/tests/bug72155.phpt b/ext/xmlrpc/tests/bug72155.phpt
new file mode 100644
index 0000000..38c90be
--- /dev/null
+++ b/ext/xmlrpc/tests/bug72155.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #72155 (use-after-free caused by get_zval_xmlrpc_type)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$var0 = fopen("/etc/passwd","r");
+$var1 = xmlrpc_encode($var0);
+var_dump($var1);
+?>
+--EXPECTF--
+string(109) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+ <int>5</int>
+ </value>
+</param>
+</params>
+"
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index ea62bdc..b5dcee8 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -535,7 +535,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
       xReturn = XMLRPC_CreateValueBoolean(key, Z_TYPE(val) == IS_TRUE);
       break;
      case xmlrpc_int:
- convert_to_long(&val);
+ ZVAL_LONG(&val, zval_get_long(&val));
       xReturn = XMLRPC_CreateValueInt(key, Z_LVAL(val));
       break;
      case xmlrpc_double:

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-cvs @
categoriesphp
postedMay 31, '16 at 3:44a
activeMay 31, '16 at 3:44a
posts1
users1
websitephp.net

1 user in discussion

Xinchen Hui: 1 post

People

Translate

site design / logo © 2019 Grokbase