Patch for 72860

72860.diff

commit ee552853ff4d72f626102025133e2cd1575043ee
Author: Stanislav Malyshev <stas@php.net>
Date:   Mon Sep 5 23:42:31 2016 -0700

    Fix bug #72860: wddx_deserialize use-after-free

diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
new file mode 100644
index 0000000..6385457
--- /dev/null
+++ b/ext/wddx/tests/bug72860.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #72860: wddx_deserialize use-after-free
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+       <recordset fieldNames='F'>
+               <field name='F'>
+       </recordset>
+</wddxPacket>
+XML;
+
+var_dump(wddx_deserialize($xml));
+?>
+DONE
+--EXPECT--
+NULL
+DONE
\ No newline at end of file
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d7bd295..b02d2f0 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -230,7 +230,8 @@ static int wddx_stack_destroy(wddx_stack *stack)
 
 	if (stack->elements) {
 		for (i = 0; i < stack->top; i++) {
-			if (((st_entry *)stack->elements[i])->data)	{
+			if (((st_entry *)stack->elements[i])->data
+					&& ((st_entry *)stack->elements[i])->type != ST_FIELD)	{
 				zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
 			}
 			if (((st_entry *)stack->elements[i])->varname) {