php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch fix-date-parsing for *General Issues Bug #68027Patch version 2014-09-29 23:52 UTC Return to Bug #68027 | Download this patchThis patch renders other patches obsolete Obsolete patches: Patch Revisions:Developer: stas@php.netcommit a89b63446246e6718e17c139566a4535f18be3c2 Author: Stanislav Malyshev <stas@php.net> Date: Sun Sep 28 17:33:44 2014 -0700 Fix bug #68027 - fix date parsing in XMLRPC lib diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c index ce70c2a..b766a54 100644 --- a/ext/xmlrpc/libxmlrpc/xmlrpc.c +++ b/ext/xmlrpc/libxmlrpc/xmlrpc.c @@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_mon = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+4]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } tm.tm_mon --; + if(tm.tm_mon < 0 || tm.tm_mon > 11) { + return -1; + } n = 10; tm.tm_mday = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+6]) tm.tm_mday += (text[i+6]-'0')*n; n /= 10; } @@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_hour = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+9]) tm.tm_hour += (text[i+9]-'0')*n; n /= 10; } @@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_min = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+12]) tm.tm_min += (text[i+12]-'0')*n; n /= 10; } @@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) { n = 10; tm.tm_sec = 0; for(i = 0; i < 2; i++) { - XMLRPC_IS_NUMBER(text[i]) + XMLRPC_IS_NUMBER(text[i+15]) tm.tm_sec += (text[i+15]-'0')*n; n /= 10; } diff --git a/ext/xmlrpc/tests/bug68027.phpt b/ext/xmlrpc/tests/bug68027.phpt new file mode 100644 index 0000000..a5c96f1 --- /dev/null +++ b/ext/xmlrpc/tests/bug68027.phpt @@ -0,0 +1,44 @@ +--TEST-- +Bug #68027 (buffer overflow in mkgmtime() function) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php + +$d = '6-01-01 20:00:00'; +xmlrpc_set_type($d, 'datetime'); +var_dump($d); +$datetime = "2001-0-08T21:46:40-0400"; +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); +print_r($obj); + +$datetime = "34770-0-08T21:46:40-0400"; +$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>"); +print_r($obj); + +echo "Done\n"; +?> +--EXPECTF-- +object(stdClass)#1 (3) { + ["scalar"]=> + string(16) "6-01-01 20:00:00" + ["xmlrpc_type"]=> + string(8) "datetime" + ["timestamp"]=> + int(%d) +} +stdClass Object +( + [scalar] => 2001-0-08T21:46:40-0400 + [xmlrpc_type] => datetime + [timestamp] => %s +) +stdClass Object +( + [scalar] => 34770-0-08T21:46:40-0400 + [xmlrpc_type] => datetime + [timestamp] => %d +) +Done |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |