File php-CVE-2016-7418.patch of Package php5.openSUSE_Leap_42.1_Update
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fwddx%2Fwddx.c;h=0e77826ce8476ea0cb0186dd7cec95b0c0129685;hp=b02d2f07ded469c5ed8256e422428d3ce8bee637;hb=c4cca4c20e75359c9a13a1f9a36cb7b4e9601d29;hpb=f5a9592ad8d2b60cabbaff00662477528ecefb48
Index: php-5.6.1/ext/wddx/wddx.c
===================================================================
--- php-5.6.1.orig/ext/wddx/wddx.c 2016-09-23 09:02:55.330571006 +0200
+++ php-5.6.1/ext/wddx/wddx.c 2016-09-23 09:04:15.843860839 +0200
@@ -780,10 +780,10 @@ static void php_wddx_push_element(void *
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
char tmp_buf[2];
- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16));
+ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16));
php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf));
break;
}
@@ -801,7 +801,7 @@ static void php_wddx_push_element(void *
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
@@ -809,7 +809,7 @@ static void php_wddx_push_element(void *
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
- php_wddx_process_data(user_data, atts[i], strlen(atts[i]));
+ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
}
@@ -842,8 +842,8 @@ static void php_wddx_push_element(void *
int i;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
- stack->varname = estrdup(atts[i]);
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+ stack->varname = estrdup(atts[i+1]);
break;
}
}
@@ -856,11 +856,12 @@ static void php_wddx_push_element(void *
array_init(ent.data);
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
zval *tmp;
char *key;
char *p1, *p2, *endp;
+ i++;
endp = (char *)atts[i] + strlen(atts[i]);
p1 = (char *)atts[i];
while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
@@ -892,13 +893,13 @@ static void php_wddx_push_element(void *
ent.data = NULL;
if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
st_entry *recordset;
zval **field;
if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
recordset->type == ST_RECORDSET &&
- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
+ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) {
ent.data = *field;
}