File php-CVE-2016-7418.patch of Package php7

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fwddx%2Fwddx.c;h=7d805e484f27e6dbda86a4f66a16976c4249813b;hp=ecbe153814c8cef90569f45a75db4ab5accbc863;hb=9528ce73156e2b6a5e96e371068b24a5975f4bcd;hpb=c5f34c9eca28769a3cc385501ee55bf153028dc4

Index: php-7.0.7/ext/wddx/wddx.c
===================================================================
--- php-7.0.7.orig/ext/wddx/wddx.c	2016-09-23 08:58:02.133875079 +0200
+++ php-7.0.7/ext/wddx/wddx.c	2016-09-23 08:59:38.231414018 +0200
@@ -736,10 +736,10 @@ static void php_wddx_push_element(void *
 		int i;
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp((char *)atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
+			if (!strcmp((char *)atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
 				char tmp_buf[2];
 
-				snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol((char *)atts[i], NULL, 16));
+				snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol((char *)atts[i+1], NULL, 16));
 				php_wddx_process_data(user_data, (XML_Char *) tmp_buf, strlen(tmp_buf));
 				break;
 			}
@@ -754,13 +754,13 @@ static void php_wddx_push_element(void *
 		int i;
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp((char *)atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
+			if (!strcmp((char *)atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
 				ent.type = ST_BOOLEAN;
 				SET_STACK_VARNAME;
 
 				ZVAL_TRUE(&ent.data);
 				wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
-				php_wddx_process_data(user_data, atts[i], strlen((char *)atts[i]));
+				php_wddx_process_data(user_data, atts[i+1], strlen((char *)atts[i+1]));
 				break;
 			}
 		}
@@ -786,8 +786,8 @@ static void php_wddx_push_element(void *
 		int i;
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp((char *)atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
-				stack->varname = estrdup((char *)atts[i]);
+			if (!strcmp((char *)atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+				stack->varname = estrdup((char *)atts[i+1]);
 				break;
 			}
 		}
@@ -799,11 +799,12 @@ static void php_wddx_push_element(void *
 		array_init(&ent.data);
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp((char *)atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
+			if (!strcmp((char *)atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
 				zval tmp;
 				char *key;
 				const char *p1, *p2, *endp;
 
+				i++;
 				endp = (char *)atts[i] + strlen((char *)atts[i]);
 				p1 = (char *)atts[i];
 				while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
@@ -833,13 +834,13 @@ static void php_wddx_push_element(void *
 		ZVAL_UNDEF(&ent.data);
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp((char *)atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+			if (!strcmp((char *)atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
 				st_entry *recordset;
 				zval *field;
 
 				if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
 					recordset->type == ST_RECORDSET &&
-					(field = zend_hash_str_find(Z_ARRVAL(recordset->data), (char*)atts[i], strlen((char *)atts[i]))) != NULL) {
+					(field = zend_hash_str_find(Z_ARRVAL(recordset->data), (char*)atts[i+1], strlen((char *)atts[i+1]))) != NULL) {
 					ZVAL_COPY_VALUE(&ent.data, field);
 				}
openSUSE Build Service is sponsored by