-
-
Save anonymous/4f730c88f90c15b0216e8651af525972 to your computer and use it in GitHub Desktop.
Patch for 72860
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit ee552853ff4d72f626102025133e2cd1575043ee | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Sep 5 23:42:31 2016 -0700 | |
Fix bug #72860: wddx_deserialize use-after-free | |
diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt | |
new file mode 100644 | |
index 0000000..6385457 | |
--- /dev/null | |
+++ b/ext/wddx/tests/bug72860.phpt | |
@@ -0,0 +1,27 @@ | |
+--TEST-- | |
+Bug #72860: wddx_deserialize use-after-free | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('wddx')) { | |
+ die('skip. wddx not available'); | |
+} | |
+?> | |
+--FILE-- | |
+<?php | |
+ | |
+$xml=<<<XML | |
+<?xml version='1.0'?> | |
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> | |
+<wddxPacket version='1.0'> | |
+ <recordset fieldNames='F'> | |
+ <field name='F'> | |
+ </recordset> | |
+</wddxPacket> | |
+XML; | |
+ | |
+var_dump(wddx_deserialize($xml)); | |
+?> | |
+DONE | |
+--EXPECT-- | |
+NULL | |
+DONE | |
\ No newline at end of file | |
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c | |
index d7bd295..b02d2f0 100644 | |
--- a/ext/wddx/wddx.c | |
+++ b/ext/wddx/wddx.c | |
@@ -230,7 +230,8 @@ static int wddx_stack_destroy(wddx_stack *stack) | |
if (stack->elements) { | |
for (i = 0; i < stack->top; i++) { | |
- if (((st_entry *)stack->elements[i])->data) { | |
+ if (((st_entry *)stack->elements[i])->data | |
+ && ((st_entry *)stack->elements[i])->type != ST_FIELD) { | |
zval_ptr_dtor(&((st_entry *)stack->elements[i])->data); | |
} | |
if (((st_entry *)stack->elements[i])->varname) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment