path: root/recipes/php/php-5.2.13/CVE-2010-0397.patch

Description: Fix a null pointer dereference when processing invalid
 XML-RPC requests.
Origin: vendor
Forwarded: http://bugs.php.net/51288
Last-Update: 2010-03-12

Index: php/ext/xmlrpc/tests/bug51288.phpt
===================================================================
--- /dev/null
+++ php/ext/xmlrpc/tests/bug51288.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
+--FILE--
+<?php
+$method = NULL;
+$req = '<?xml version="1.0"?><methodCall></methodCall>';
+var_dump(xmlrpc_decode_request($req, $method));
+var_dump($method);
+echo "Done\n";
+?>
+--EXPECT--
+NULL
+NULL
+Done
Index: php/ext/xmlrpc/xmlrpc-epi-php.c
===================================================================
--- php.orig/ext/xmlrpc/xmlrpc-epi-php.c
+++ php/ext/xmlrpc/xmlrpc-epi-php.c
@@ -701,6 +701,7 @@ zval* decode_request_worker (zval* xml_i
 	zval* retval = NULL;
 	XMLRPC_REQUEST response;
 	STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
+	const char *method_name;
 	opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT;
 
 	/* generate XMLRPC_REQUEST from raw xml */
@@ -711,10 +712,16 @@ zval* decode_request_worker (zval* xml_i
 
 		if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
 			if(method_name_out) {
-				zval_dtor(method_name_out);
-				Z_TYPE_P(method_name_out) = IS_STRING;
-				Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
-				Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+				method_name = XMLRPC_RequestGetMethodName(response);
+				if (method_name) {
+					zval_dtor(method_name_out);
+					Z_TYPE_P(method_name_out) = IS_STRING;
+					Z_STRVAL_P(method_name_out) = estrdup(method_name);
+					Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+				} else if (retval) {
+					zval_ptr_dtor(&retval);
+					retval = NULL;
+				}
 			}
 		}