File php-CVE-2016-7418.patch of Package php5.openSUSE_Leap_42.1_Update

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fwddx%2Fwddx.c;h=0e77826ce8476ea0cb0186dd7cec95b0c0129685;hp=b02d2f07ded469c5ed8256e422428d3ce8bee637;hb=c4cca4c20e75359c9a13a1f9a36cb7b4e9601d29;hpb=f5a9592ad8d2b60cabbaff00662477528ecefb48

Index: php-5.6.1/ext/wddx/wddx.c
===================================================================
--- php-5.6.1.orig/ext/wddx/wddx.c	2016-09-23 09:02:55.330571006 +0200
+++ php-5.6.1/ext/wddx/wddx.c	2016-09-23 09:04:15.843860839 +0200
@@ -780,10 +780,10 @@ static void php_wddx_push_element(void *
 		int i;
 		
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
+			if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
 				char tmp_buf[2];
 
-				snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16));
+				snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16));
 				php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf));
 				break;
 			}
@@ -801,7 +801,7 @@ static void php_wddx_push_element(void *
 		int i;
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
+			if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
 				ent.type = ST_BOOLEAN;
 				SET_STACK_VARNAME;
 
@@ -809,7 +809,7 @@ static void php_wddx_push_element(void *
 				INIT_PZVAL(ent.data);
 				Z_TYPE_P(ent.data) = IS_BOOL;
 				wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
-				php_wddx_process_data(user_data, atts[i], strlen(atts[i]));
+				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
 				break;
 			}
 		}
@@ -842,8 +842,8 @@ static void php_wddx_push_element(void *
 		int i;
 		
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
-				stack->varname = estrdup(atts[i]);
+			if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+				stack->varname = estrdup(atts[i+1]);
 				break;
 			}
 		}
@@ -856,11 +856,12 @@ static void php_wddx_push_element(void *
 		array_init(ent.data);
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
+			if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
 				zval *tmp;
 				char *key;
 				char *p1, *p2, *endp;
 
+				i++;
 				endp = (char *)atts[i] + strlen(atts[i]);
 				p1 = (char *)atts[i];
 				while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
@@ -892,13 +893,13 @@ static void php_wddx_push_element(void *
 		ent.data = NULL;
 
 		if (atts) for (i = 0; atts[i]; i++) {
-			if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+			if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
 				st_entry *recordset;
 				zval **field;
  
 				if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
 					recordset->type == ST_RECORDSET &&
-					zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
+					zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) {
 					ent.data = *field;
 				}