Skip to content

Commit d8da372

Browse files
rgeissertrgeissert
committed
Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC
requests (bug #51288)
1 parent 1c6ea06 commit d8da372

File tree

3 files changed

+27
-4
lines changed

3 files changed

+27
-4
lines changed

NEWS

+3
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ PHP NEWS
66
- Added stream filter support to mcrypt extension (ported from
77
mcrypt_filter). (Stas)
88

9+
- Fixed a NULL pointer dereference when processing invalid XML-RPC
10+
requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
11+
912
- Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam)
1013
- Fixed bug #51257 (CURL_VERSION_LARGEFILE incorrectly used after libcurl
1114
version 7.10.1). (aron dot ujvari at microsec dot hu)

ext/xmlrpc/tests/bug51288.phpt

+14
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
--TEST--
2+
Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
3+
--FILE--
4+
<?php
5+
$method = NULL;
6+
$req = '<?xml version="1.0"?><methodCall></methodCall>';
7+
var_dump(xmlrpc_decode_request($req, $method));
8+
var_dump($method);
9+
echo "Done\n";
10+
?>
11+
--EXPECT--
12+
NULL
13+
NULL
14+
Done

ext/xmlrpc/xmlrpc-epi-php.c

+10-4
Original file line numberDiff line numberDiff line change
@@ -778,6 +778,7 @@ zval* decode_request_worker(char *xml_in, int xml_in_len, char *encoding_in, zva
778778
zval* retval = NULL;
779779
XMLRPC_REQUEST response;
780780
STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
781+
const char *method_name;
781782
opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT;
782783

783784
/* generate XMLRPC_REQUEST from raw xml */
@@ -788,10 +789,15 @@ zval* decode_request_worker(char *xml_in, int xml_in_len, char *encoding_in, zva
788789

789790
if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
790791
if (method_name_out) {
791-
zval_dtor(method_name_out);
792-
Z_TYPE_P(method_name_out) = IS_STRING;
793-
Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
794-
Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
792+
method_name = XMLRPC_RequestGetMethodName(response);
793+
if (method_name) {
794+
zval_dtor(method_name_out);
795+
Z_TYPE_P(method_name_out) = IS_STRING;
796+
Z_STRVAL_P(method_name_out) = estrdup(method_name);
797+
Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
798+
} else {
799+
retval = NULL;
800+
}
795801
}
796802
}
797803

0 commit comments

Comments
 (0)