PHP :: Bug #42189 :: xmlrpc_set

PHP :: Bug #42189 :: xmlrpc_set_type() crashes php

Bug #42189

xmlrpc_set_type() crashes php

Submitted:

2007-08-02 20:56 UTC

Modified:

2007-09-18 19:52 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

giunta dot gaetano at gmail dot com

Assigned:

Status:

Closed

Package:

XMLRPC-EPI related

PHP Version:

5.2.3

OS:

windows xp or 2000

Private report:

CVE-ID:

None

[2007-08-02 20:56 UTC] giunta dot gaetano at gmail dot com

Description:
------------
Trying to cast a non-iso8601 conforming string to an xmlrpc datetime object crashes php.
This happens if the characters in position 0 to 6 are too high in the ascii table, presumably moving the converted date too far away in the future

This is repro with php 447 and 523

Note that it 'might' be the same bug as #22468 (the cause looks the same allright), with the difference that you get corrupted data on gentoo, and a core dump on winblows...

Reproduce code:
---------------
<?php

// char ~ is 127 in ascii table, in xmlrpc.c '0' is subtracted, so we end up with the number 79 used for every digit of every date part
// year = 79*1000+79*100+79*10+79, etc...
// from date_from_ISO8601, in line 161 in xmlrpc.c
// called from set_zval_xmlrpc_type in xmlrpc-epi-php.c

$params = '~~~~~~~~~~~~~~~~~~';
$ok = xmlrpc_set_type ( $params, 'datetime' );
var_dump($ok);
?>

Expected result:
----------------
false

Actual result:
--------------
CRASH'N'BURN

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-08-06 10:00 UTC] giunta dot gaetano at gmail dot com

As a side note, mostly to comments on #22468 - the official epi lib has not seen any cvs commit in about 5 years, and the php engine is possibly the biggest user of the lib, so I would not mind too much forking the underlying codebase (bug #69492 was opened there after the php devs refused to fix 22468, but it's till open after 4,5 years...)

[2007-08-15 19:49 UTC] giunta dot gaetano at gmail dot com

I do not think it is going away anytime soon, as much as everybody could 
wish it, just because of the critical mass it has reached (kinda likle 
http and html...). It is widely used in blogging tools for trackbacks, 
by red hat for their rhn system update tool, and has a lot of libraries 
written in every conceivable language. Oh, and least I forget, it is 
also used by PEAR as THE distribution protocol, isn't it? Iirc breaking 
support for HTTP_RAW_MESSAGE (and hence pear xmlrpc) in php 5.2.2 caused 
quite an unpheaval in the user base...

Otoh, xmlrpc might be dead and cold in the grave, it does not mean that 
a crasher bug has got to be left unpatched (imho, of course ;)

[2007-09-18 19:52 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.