wddx_serialize_value geneates no wellformed xml
| Bug #38378 | wddx_serialize_value geneates no wellformed xml | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Submitted: | 2006-08-08 09:57 UTC | Modified: | 2006-08-24 08:30 UTC |
|
||||||||||
| From: | clemens at gutweiler dot net | Assigned: | ||||||||||||
| Status: | Closed | Package: | WDDX related | |||||||||||
| PHP Version: | 4.4.3 | OS: | Linux | |||||||||||
| Private report: | No | CVE-ID: | None | |||||||||||
[2006-08-08 09:57 UTC] clemens at gutweiler dot net
Description:
------------
wddx_serialize_value generates an invalid wddx package/xml
string.
in php version 4.4.2 the sample code works, in 4.4.3 not.
Reproduce code:
---------------
<?php
$array = array(
'index' => array(
1 => 'integer key',
'string' => 'string key'
)
);
var_dump( wddx_serialize_value( $array ) );
?>
Expected result:
----------------
/web/cg/playground# /usr/local/php-4.4.2-fastcgi/bin/php
wddx.php
string(219) "<wddxPacket version='1.0'><header/
><data><struct><var name='index'><struct><var
name='1'><string>integer key</string></var><var
name='string'><string>string key</string></var></struct></
var></struct></data></wddxPacket>"
Actual result:
--------------
/web/cg/playground# /usr/local/php-4.4.3-fastcgi/bin/php
wddx.php
string(179) "<wddxPacket version='1.0'><header/
><data><struct><var <struct><string>integer key</string></
var><var n<string>string key</string></var></struct></var></
struct></data></wddxPacket>"
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2006-08-17 13:06 UTC] hweidner at gmx dot net
The function wddx_serialize_vars seems also affected: $array=array("aaa", "bbb", "ccc"); echo wddx_serialize_vars("array"); creates to the broken XML code unter PHP 4.4.3 <wddxPacket version='1.0'><header/><data><struct><var<array length='3'><string>aaa</string><string>bbb</string><string>ccc</string></array></var></struct></data></wddxPacket>[2006-08-21 14:36 UTC] sj at sjaensch dot org
When replacing sprintf() with snprintf(), the length of the resulting string was calculated wrongly. Patch follows: --- php-4.4.3/ext/wddx/wddx.c Fri May 26 03:55:26 2006 +++ php-4.4.3-fixed/ext/wddx/wddx.c Mon Aug 21 16:30:44 2006 @@ -626,12 +626,13 @@ { char *tmp_buf; char *name_esc; - int name_esc_len; + int name_esc_len, tmp_buf_len; if (name) { name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC); - tmp_buf = emalloc(name_esc_len + 1); - snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc); + tmp_buf_len = name_esc_len + strlen(WDDX_VAR_S); + tmp_buf = emalloc(tmp_buf_len+1); + snprintf(tmp_buf, tmp_buf_len, WDDX_VAR_S, name_esc); php_wddx_add_chunk(packet, tmp_buf); efree(tmp_buf); efree(name_esc);[2006-08-23 11:11 UTC] grzegorz dot nosek at netart dot pl
You also need something like the patch below because serialization of plain integers is broken too. If you don't want to use full WDDX_BUF_LEN, Z_STRLEN(tmp) + Z_STRLEN(WDDX_NUMBER) (or something) might suffice. Without the patch things like <number>1</number> seem to get eaten. Trivial test case attached in the following diff. --- php/ext/wddx/wddx.c~ Wed Aug 23 12:01:10 2006 +++ php/ext/wddx/wddx.c Wed Aug 23 12:00:35 2006 @@ -432,7 +432,7 @@ tmp = *var; zval_copy_ctor(&tmp); convert_to_string(&tmp); - snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp)); + snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_NUMBER, Z_STRVAL(tmp)); zval_dtor(&tmp); php_wddx_add_chunk(packet, tmp_buf); --- /dev/null Fri Jun 28 13:33:12 2002 +++ php/ext/wddx/tests/bug38738.phpt Wed Aug 23 12:04:10 2006 @@ -0,0 +1,13 @@ +--TEST-- +Bug #38378 wddx_serialize_value geneates no wellformed xml +--FILE-- +<?php + +$hash["int"] = 1; +$hash["string"] = "test"; + +print wddx_serialize_vars('hash')."\n"; +?> +--EXPECT-- +<wddxPacket version='1.0'><header/><data><struct><var name='hash'><struct><var name='int'><number>1</number></var><var name='string'><string>test</string></var></struct></var></struct></data></wddxPacket> +[2006-08-24 08:30 UTC] tony2001@php.net