Skip to content

Instantly share code, notes, and snippets.

/72860.diff Secret
Created Sep 6, 2016

Embed
What would you like to do?
Patch for 72860
commit ee552853ff4d72f626102025133e2cd1575043ee
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Sep 5 23:42:31 2016 -0700
Fix bug #72860: wddx_deserialize use-after-free
diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
new file mode 100644
index 0000000..6385457
--- /dev/null
+++ b/ext/wddx/tests/bug72860.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #72860: wddx_deserialize use-after-free
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+ <recordset fieldNames='F'>
+ <field name='F'>
+ </recordset>
+</wddxPacket>
+XML;
+
+var_dump(wddx_deserialize($xml));
+?>
+DONE
+--EXPECT--
+NULL
+DONE
\ No newline at end of file
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d7bd295..b02d2f0 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -230,7 +230,8 @@ static int wddx_stack_destroy(wddx_stack *stack)
if (stack->elements) {
for (i = 0; i < stack->top; i++) {
- if (((st_entry *)stack->elements[i])->data) {
+ if (((st_entry *)stack->elements[i])->data
+ && ((st_entry *)stack->elements[i])->type != ST_FIELD) {
zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
}
if (((st_entry *)stack->elements[i])->varname) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.