/73831.diff Secret

## 73831.diff
commit 8d2539fa0faf3f63e1d1e7635347c5b9e777d47b
Author: Stanislav Malyshev <stas@php.net>
Date:   Sat Dec 31 20:14:20 2016 -0800

    Fix bug #73831 - NULL Pointer Dereference while unserialize php object

diff --git a/ext/wddx/tests/bug73831.phpt b/ext/wddx/tests/bug73831.phpt
new file mode 100644
index 0000000..0f8b8b1
--- /dev/null
+++ b/ext/wddx/tests/bug73831.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #73831 (NULL Pointer Dereference while unserialize php object)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+	<struct>
+		<var name="php_class_name">
+			<string>Throwable</string>
+                </var>
+        </struct>
+</wddxPacket>
+EOF;
+try {
+	$wddx = wddx_deserialize($xml);
+} catch(Error $e) { echo $e->getMessage(); }
+?>
+--EXPECTF--
+Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
+Cannot instantiate interface Throwable
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d58a564..70c6213 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -967,8 +967,11 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 							php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
 						} else {
 							/* Initialize target object */
-							object_init_ex(&obj, pce);
-
+							if (object_init_ex(&obj, pce) != SUCCESS || EG(exception)) {
+								zval_ptr_dtor(&ent2->data);
+								ZVAL_UNDEF(&ent2->data);
+								php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
+							} else {
 								/* Merge current hashtable with object's default properties */
 								zend_hash_merge(Z_OBJPROP(obj),
 												Z_ARRVAL(ent2->data),
@@ -984,6 +987,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 								/* Set stack entry to point to the newly created object */
 								ZVAL_COPY_VALUE(&ent2->data, &obj);
 							}
+						}

 						/* Clean up class name var entry */
 						zval_ptr_dtor(&ent1->data);
	commit 8d2539fa0faf3f63e1d1e7635347c5b9e777d47b
	Author: Stanislav Malyshev <stas@php.net>
	Date: Sat Dec 31 20:14:20 2016 -0800

	Fix bug #73831 - NULL Pointer Dereference while unserialize php object

	diff --git a/ext/wddx/tests/bug73831.phpt b/ext/wddx/tests/bug73831.phpt
	new file mode 100644
	index 0000000..0f8b8b1
	--- /dev/null
	+++ b/ext/wddx/tests/bug73831.phpt
	@@ -0,0 +1,23 @@
	+--TEST--
	+Bug #73831 (NULL Pointer Dereference while unserialize php object)
	+--SKIPIF--
	+<?php if (!extension_loaded("wddx")) print "skip"; ?>
	+--FILE--
	+<?php
	+$xml = <<<EOF
	+<?xml version="1.0" ?>
	+<wddxPacket version="1.0">
	+ <struct>
	+ <var name="php_class_name">
	+ <string>Throwable</string>
	+ </var>
	+ </struct>
	+</wddxPacket>
	+EOF;
	+try {
	+ $wddx = wddx_deserialize($xml);
	+} catch(Error $e) { echo $e->getMessage(); }
	+?>
	+--EXPECTF--
	+Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
	+Cannot instantiate interface Throwable
	diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
	index d58a564..70c6213 100644
	--- a/ext/wddx/wddx.c
	+++ b/ext/wddx/wddx.c
	@@ -967,8 +967,11 @@ static void php_wddx_pop_element(void user_data, const XML_Char name)
	php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
	} else {
	/* Initialize target object */
	- object_init_ex(&obj, pce);
	-
	+ if (object_init_ex(&obj, pce) != SUCCESS \|\| EG(exception)) {
	+ zval_ptr_dtor(&ent2->data);
	+ ZVAL_UNDEF(&ent2->data);
	+ php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
	+ } else {
	/* Merge current hashtable with object's default properties */
	zend_hash_merge(Z_OBJPROP(obj),
	Z_ARRVAL(ent2->data),
	@@ -984,6 +987,7 @@ static void php_wddx_pop_element(void user_data, const XML_Char name)
	/* Set stack entry to point to the newly created object */
	ZVAL_COPY_VALUE(&ent2->data, &obj);
	}
	+ }

	/* Clean up class name var entry */
	zval_ptr_dtor(&ent1->data);