php5 5.6.0+dfsg-1
[pkg-php/php.git] / debian / patches / CVE-2010-0397.patch
1 Description: Fix a null pointer dereference when processing invalid
2  XML-RPC requests.
3 Origin: vendor
4 Forwarded: yes
5
6 Index: php/ext/xmlrpc/xmlrpc-epi-php.c
7 ===================================================================
8 --- php.orig/ext/xmlrpc/xmlrpc-epi-php.c
9 +++ php/ext/xmlrpc/xmlrpc-epi-php.c
10 @@ -778,6 +778,7 @@ zval* decode_request_worker(char *xml_in
11         zval* retval = NULL;
12         XMLRPC_REQUEST response;
13         STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
14 +       const char *method_name;
15         opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT;
16  
17         /* generate XMLRPC_REQUEST from raw xml */
18 @@ -788,10 +789,15 @@ zval* decode_request_worker(char *xml_in
19  
20                 if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
21                         if (method_name_out) {
22 -                               zval_dtor(method_name_out);
23 -                               Z_TYPE_P(method_name_out) = IS_STRING;
24 -                               Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
25 -                               Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
26 +                               method_name = XMLRPC_RequestGetMethodName(response);
27 +                               if (method_name) {
28 +                                       zval_dtor(method_name_out);
29 +                                       Z_TYPE_P(method_name_out) = IS_STRING;
30 +                                       Z_STRVAL_P(method_name_out) = estrdup(method_name);
31 +                                       Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
32 +                               } else {
33 +                                       retval = NULL;
34 +                               }
35                         }
36                 }
37