File: CVE-2013-4113.patch

package info (click to toggle)
php5 5.3.3-7%2Bsqueeze19
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 122,836 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (142 lines) | stat: -rw-r--r-- 4,764 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
From 7d163e8a0880ae8af2dd869071393e5dc07ef271 Mon Sep 17 00:00:00 2001
From: Rob Richards <rrichards@php.net>
Date: Sat, 6 Jul 2013 07:53:07 -0400
Subject: [PATCH] truncate results at depth of 255 to prevent corruption

---
 ext/xml/xml.c | 90 +++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 50 insertions(+), 40 deletions(-)

--- php5-squeeze.orig/ext/xml/xml.c
+++ php5-squeeze/ext/xml/xml.c
@@ -427,7 +427,7 @@ static void xml_parser_dtor(zend_rsrc_li
 	}
 	if (parser->ltags) {
 		int inx;
-		for (inx = 0; inx < parser->level; inx++)
+		for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
 			efree(parser->ltags[ inx ]);
 		efree(parser->ltags);
 	}
@@ -905,45 +905,50 @@ void _xml_startElementHandler(void *user
 		} 
 
 		if (parser->data) {
-			zval *tag, *atr;
-			int atcnt = 0;
+			if (parser->level <= XML_MAXLEVEL)  {
+				zval *tag, *atr;
+				int atcnt = 0;
 
-			MAKE_STD_ZVAL(tag);
-			MAKE_STD_ZVAL(atr);
+				MAKE_STD_ZVAL(tag);
+				MAKE_STD_ZVAL(atr);
 
-			array_init(tag);
-			array_init(atr);
+				array_init(tag);
+				array_init(atr);
 
-			_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
+				_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
 
-			add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
-			add_assoc_string(tag,"type","open",1);
-			add_assoc_long(tag,"level",parser->level);
+				add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
+				add_assoc_string(tag,"type","open",1);
+				add_assoc_long(tag,"level",parser->level);
 
-			parser->ltags[parser->level-1] = estrdup(tag_name);
-			parser->lastwasopen = 1;
+				parser->ltags[parser->level-1] = estrdup(tag_name);
+				parser->lastwasopen = 1;
 
-			attributes = (const XML_Char **) attrs;
+				attributes = (const XML_Char **) attrs;
 
-			while (attributes && *attributes) {
-				att = _xml_decode_tag(parser, attributes[0]);
-				val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
-				
-				add_assoc_stringl(atr,att,val,val_len,0);
+				while (attributes && *attributes) {
+					att = _xml_decode_tag(parser, attributes[0]);
+					val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
 
-				atcnt++;
-				attributes += 2;
+					add_assoc_stringl(atr,att,val,val_len,0);
 
-				efree(att);
-			}
+					atcnt++;
+					attributes += 2;
 
-			if (atcnt) {
-				zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
-			} else {
-				zval_ptr_dtor(&atr);
-			}
+					efree(att);
+				}
+
+				if (atcnt) {
+					zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
+				} else {
+					zval_ptr_dtor(&atr);
+				}
 
-			zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
+				zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
+			} else if (parser->level == (XML_MAXLEVEL + 1)) {
+				TSRMLS_FETCH();
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
+			}
 		}
 
 		efree(tag_name);
@@ -995,7 +1000,7 @@ void _xml_endElementHandler(void *userDa
 
 		efree(tag_name);
 
-		if (parser->ltags) {
+		if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
 			efree(parser->ltags[parser->level-1]);
 		}
 
@@ -1079,18 +1084,23 @@ void _xml_characterDataHandler(void *use
 						}
 					}
 
-					MAKE_STD_ZVAL(tag);
-					
-					array_init(tag);
-					
-					_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
+					if (parser->level <= XML_MAXLEVEL) {
+						MAKE_STD_ZVAL(tag);
 
-					add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
-					add_assoc_string(tag,"value",decoded_value,0);
-					add_assoc_string(tag,"type","cdata",1);
-					add_assoc_long(tag,"level",parser->level);
+						array_init(tag);
 
-					zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
+						_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
+
+						add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
+						add_assoc_string(tag,"value",decoded_value,0);
+						add_assoc_string(tag,"type","cdata",1);
+						add_assoc_long(tag,"level",parser->level);
+
+						zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
+					} else if (parser->level == (XML_MAXLEVEL + 1)) {
+						TSRMLS_FETCH();
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
+					}
 				}
 			} else {
 				efree(decoded_value);