lang/php53/patches/patch-ext_xmlrpc_libxmlrpc_xmlrpc.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

$NetBSD: patch-ext_xmlrpc_libxmlrpc_xmlrpc.c,v 1.1.2.2 2014/10/25 15:55:51 tron Exp $

* Fix for CVE-2014-3668.

--- ext/xmlrpc/libxmlrpc/xmlrpc.c.orig	2014-08-13 19:22:50.000000000 +0000
+++ ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char
    n = 10;
    tm.tm_mon = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+4])
       tm.tm_mon += (text[i+4]-'0')*n;
       n /= 10;
    }
    tm.tm_mon --;
+   if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+      return -1;
+   }
 
    n = 10;
    tm.tm_mday = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+6])
       tm.tm_mday += (text[i+6]-'0')*n;
       n /= 10;
    }
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char
    n = 10;
    tm.tm_hour = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+9])
       tm.tm_hour += (text[i+9]-'0')*n;
       n /= 10;
    }
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char
    n = 10;
    tm.tm_min = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+12])
       tm.tm_min += (text[i+12]-'0')*n;
       n /= 10;
    }
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char
    n = 10;
    tm.tm_sec = 0;
    for(i = 0; i < 2; i++) {
-      XMLRPC_IS_NUMBER(text[i])
+      XMLRPC_IS_NUMBER(text[i+15])
       tm.tm_sec += (text[i+15]-'0')*n;
       n /= 10;
    }