Overview

File php7-CVE-2025-1219.patch of Package php7.37963

Index: php-7.4.33/ext/libxml/libxml.c
===================================================================
--- php-7.4.33.orig/ext/libxml/libxml.c
+++ php-7.4.33/ext/libxml/libxml.c
@@ -420,42 +420,53 @@ php_libxml_input_buffer_create_filename(
 		if (Z_TYPE(s->wrapperdata) == IS_ARRAY) {
 			zval *header;
 
-			ZEND_HASH_FOREACH_VAL_IND(Z_ARRVAL(s->wrapperdata), header) {
+			/* Scan backwards: The header array might contain the headers for multiple responses, if
+			 * a redirect was followed.
+			 */
+			ZEND_HASH_REVERSE_FOREACH_VAL_IND(Z_ARRVAL(s->wrapperdata), header) {
 				const char buf[] = "Content-Type:";
-				if (Z_TYPE_P(header) == IS_STRING &&
-						!zend_binary_strncasecmp(Z_STRVAL_P(header), Z_STRLEN_P(header), buf, sizeof(buf)-1, sizeof(buf)-1)) {
-					char *needle = estrdup("charset=");
-					char *haystack = estrndup(Z_STRVAL_P(header), Z_STRLEN_P(header));
-					char *encoding = php_stristr(haystack, needle, Z_STRLEN_P(header), sizeof("charset=")-1);
+				if (Z_TYPE_P(header) == IS_STRING) {
+					/* If no colon is found in the header, we assume it's the HTTP status line and bail out. */
+					char *colon = memchr(Z_STRVAL_P(header), ':', Z_STRLEN_P(header));
+					char *space = memchr(Z_STRVAL_P(header), ' ', Z_STRLEN_P(header));
+					if (colon == NULL || space < colon) {
+						break;
+					}
+
+					if (!zend_binary_strncasecmp(Z_STRVAL_P(header), Z_STRLEN_P(header), buf, sizeof(buf)-1, sizeof(buf)-1)) {
+						char *needle = estrdup("charset=");
+						char *haystack = estrndup(Z_STRVAL_P(header), Z_STRLEN_P(header));
+						char *encoding = php_stristr(haystack, needle, Z_STRLEN_P(header), sizeof("charset=")-1);
 
-					if (encoding) {
-						char *end;
+						if (encoding) {
+							char *end;
 						
-						encoding += sizeof("charset=")-1;
-						if (*encoding == '"') {
-							encoding++;
-						}
-						end = strchr(encoding, ';');
-						if (end == NULL) {
-							end = encoding + strlen(encoding);
-						}
-						end--; /* end == encoding-1 isn't a buffer underrun */
-						while (*end == ' ' || *end == '\t') {
-							end--;
-						}
-						if (*end == '"') {
-							end--;
-						}
-						if (encoding >= end) continue;
-						*(end+1) = '\0';
-						enc = xmlParseCharEncoding(encoding);
-						if (enc <= XML_CHAR_ENCODING_NONE) {
-							enc = XML_CHAR_ENCODING_NONE;
+							encoding += sizeof("charset=")-1;
+							if (*encoding == '"') {
+								encoding++;
+							}
+							end = strchr(encoding, ';');
+							if (end == NULL) {
+								end = encoding + strlen(encoding);
+							}
+							end--; /* end == encoding-1 isn't a buffer underrun */
+							while (*end == ' ' || *end == '\t') {
+								end--;
+							}
+							if (*end == '"') {
+								end--;
+							}
+							if (encoding >= end) continue;
+							*(end+1) = '\0';
+							enc = xmlParseCharEncoding(encoding);
+							if (enc <= XML_CHAR_ENCODING_NONE) {
+								enc = XML_CHAR_ENCODING_NONE;
+							}
 						}
+						efree(haystack);
+						efree(needle);
+						break; /* found content-type */
 					}
-					efree(haystack);
-					efree(needle);
-					break; /* found content-type */
 				}
 			} ZEND_HASH_FOREACH_END();
 		}
openSUSE Build Service is sponsored by
Places