php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #68027
Patch fix-date-parsing revision 2014-09-29 23:52 UTC by stas@php.net
revision 2014-09-29 00:34 UTC by stas@php.net

Patch fix-date-parsing for *General Issues Bug #68027

Patch version 2014-09-29 23:52 UTC

Return to Bug #68027 | Download this patch
This patch renders other patches obsolete

Obsolete patches:

Patch Revisions:

Developer: stas@php.net

commit a89b63446246e6718e17c139566a4535f18be3c2
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Sep 28 17:33:44 2014 -0700

    Fix bug #68027 - fix date parsing in XMLRPC lib

diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index ce70c2a..b766a54 100644
--- a/ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
    tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+       return -1;
+   }
 
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }
diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt
new file mode 100644
index 0000000..a5c96f1
--- /dev/null
+++ b/ext/xmlrpc/tests/bug68027.phpt
@@ -0,0 +1,44 @@
+--TEST--
+Bug #68027 (buffer overflow in mkgmtime() function)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+
+$d = '6-01-01 20:00:00';
+xmlrpc_set_type($d, 'datetime');
+var_dump($d);
+$datetime = "2001-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+$datetime = "34770-0-08T21:46:40-0400";
+$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
+print_r($obj);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+object(stdClass)#1 (3) {
+  ["scalar"]=>
+  string(16) "6-01-01 20:00:00"
+  ["xmlrpc_type"]=>
+  string(8) "datetime"
+  ["timestamp"]=>
+  int(%d)
+}
+stdClass Object
+(
+    [scalar] => 2001-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %s
+)
+stdClass Object
+(
+    [scalar] => 34770-0-08T21:46:40-0400
+    [xmlrpc_type] => datetime
+    [timestamp] => %d
+)
+Done
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 00:01:27 2019 UTC