Description: Fix a null pointer dereference when processing invalid XML-RPC requests. Origin: vendor Forwarded: http://bugs.php.net/51288 Last-Update: 2010-03-12 Index: php/ext/xmlrpc/tests/bug51288.phpt =================================================================== --- /dev/null +++ php/ext/xmlrpc/tests/bug51288.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #51288 (CVE-2010-0397, NULL pointer deref when no in request) +--FILE-- +'; +var_dump(xmlrpc_decode_request($req, $method)); +var_dump($method); +echo "Done\n"; +?> +--EXPECT-- +NULL +NULL +Done Index: php/ext/xmlrpc/xmlrpc-epi-php.c =================================================================== --- php.orig/ext/xmlrpc/xmlrpc-epi-php.c +++ php/ext/xmlrpc/xmlrpc-epi-php.c @@ -701,6 +701,7 @@ zval* decode_request_worker (zval* xml_i zval* retval = NULL; XMLRPC_REQUEST response; STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; + const char *method_name; opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT; /* generate XMLRPC_REQUEST from raw xml */ @@ -711,10 +712,16 @@ zval* decode_request_worker (zval* xml_i if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { if(method_name_out) { - zval_dtor(method_name_out); - Z_TYPE_P(method_name_out) = IS_STRING; - Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); - Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + method_name = XMLRPC_RequestGetMethodName(response); + if (method_name) { + zval_dtor(method_name_out); + Z_TYPE_P(method_name_out) = IS_STRING; + Z_STRVAL_P(method_name_out) = estrdup(method_name); + Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + } else if (retval) { + zval_ptr_dtor(&retval); + retval = NULL; + } } }