php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #51288
Patch CVE-2009-3765 revision 2010-03-13 02:20 UTC by geissert@php.net

Patch CVE-2009-3765 for XMLRPC-EPI related Bug #51288

Patch version 2010-03-13 02:20 UTC

Return to Bug #51288 | Download this patch
Patch Revisions:

Developer: geissert@php.net

Description: Fix a null pointer dereference when processing invalid
 XML-RPC requests.
Origin: vendor
Forwarded: yes

Index: php/ext/xmlrpc/xmlrpc-epi-php.c
===================================================================
--- php.orig/ext/xmlrpc/xmlrpc-epi-php.c
+++ php/ext/xmlrpc/xmlrpc-epi-php.c
@@ -778,6 +778,7 @@ zval* decode_request_worker(char *xml_in
 	zval* retval = NULL;
 	XMLRPC_REQUEST response;
 	STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
+	const char *method_name;
 	opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT;
 
 	/* generate XMLRPC_REQUEST from raw xml */
@@ -788,10 +789,15 @@ zval* decode_request_worker(char *xml_in
 
 		if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
 			if (method_name_out) {
-				zval_dtor(method_name_out);
-				Z_TYPE_P(method_name_out) = IS_STRING;
-				Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
-				Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+				method_name = XMLRPC_RequestGetMethodName(response);
+				if (method_name) {
+					zval_dtor(method_name_out);
+					Z_TYPE_P(method_name_out) = IS_STRING;
+					Z_STRVAL_P(method_name_out) = estrdup(method_name);
+					Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+				} else {
+					retval = NULL;
+				}
 			}
 		}
 
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC