/72790.diff Secret

## 72790.diff
commit a14fdb9746262549bbbb96abb87338bacd147e1b
Author: Stanislav Malyshev <stas@php.net>
Date:   Wed Aug 10 23:43:56 2016 -0700

    Fix for bug #72790 and bug #72799

diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt
new file mode 100644
index 0000000..a60524b
--- /dev/null
+++ b/ext/wddx/tests/bug72790.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug 72790: wddx_deserialize null dereference with invalid xml
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<< XML
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+        |array>
+                <var name="XXXX">
+                        <boolean value="this">
+                        </boolean>
+                </var>
+                <var name="YYYY">
+                        <var name="UUUU">
+                                <var name="EZEZ">
+                                </var>
+                        </var>
+                </var>
+        </array>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+NULL
\ No newline at end of file
diff --git a/ext/wddx/tests/bug72799.phpt b/ext/wddx/tests/bug72799.phpt
new file mode 100644
index 0000000..5861d55
--- /dev/null
+++ b/ext/wddx/tests/bug72799.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version="1.0">
+    <var name="XXXX">
+        <boolean value="1">
+            <dateTime>1998-06-12T04:32:12+00</dateTime>
+        </boolean>
+    </var>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+NULL
\ No newline at end of file
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 1b2d103..d7bd295 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -946,10 +946,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 		if (!ent1->data) {
 			if (stack->top > 1) {
 				stack->top--;
+				efree(ent1);
 			} else {
 				stack->done = 1;
 			}
-			efree(ent1);
 			return;
 		}

@@ -988,7 +988,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 			wddx_stack_top(stack, (void**)&ent2);

 			/* if non-existent field */
-			if (ent2->type == ST_FIELD && ent2->data == NULL) {
+			if (ent2->data == NULL) {
 				zval_ptr_dtor(&ent1->data);
 				efree(ent1);
 				return;
@@ -1179,9 +1179,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value)

 	if (stack.top == 1) {
 		wddx_stack_top(&stack, (void**)&ent);
+		if(ent->data == NULL) {
+			retval = FAILURE;
+		} else {
 			*return_value = *(ent->data);
 			zval_copy_ctor(return_value);
 			retval = SUCCESS;
+		}
 	} else {
 		retval = FAILURE;
 	}
	commit a14fdb9746262549bbbb96abb87338bacd147e1b
	Author: Stanislav Malyshev <stas@php.net>
	Date: Wed Aug 10 23:43:56 2016 -0700

	Fix for bug #72790 and bug #72799

	diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt
	new file mode 100644
	index 0000000..a60524b
	--- /dev/null
	+++ b/ext/wddx/tests/bug72790.phpt
	@@ -0,0 +1,35 @@
	+--TEST--
	+Bug 72790: wddx_deserialize null dereference with invalid xml
	+--SKIPIF--
	+<?php
	+if (!extension_loaded('wddx')) {
	+ die('skip. wddx not available');
	+}
	+?>
	+--FILE--
	+<?php
	+
	+$xml = <<< XML
	+<?xml version='1.0' ?>
	+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
	+<wddxPacket version='1.0'>
	+ \|array>
	+ <var name="XXXX">
	+ <boolean value="this">
	+ </boolean>
	+ </var>
	+ <var name="YYYY">
	+ <var name="UUUU">
	+ <var name="EZEZ">
	+ </var>
	+ </var>
	+ </var>
	+ </array>
	+</wddxPacket>
	+XML;
	+
	+$array = wddx_deserialize($xml);
	+var_dump($array);
	+?>
	+--EXPECT--
	+NULL
	\ No newline at end of file
	diff --git a/ext/wddx/tests/bug72799.phpt b/ext/wddx/tests/bug72799.phpt
	new file mode 100644
	index 0000000..5861d55
	--- /dev/null
	+++ b/ext/wddx/tests/bug72799.phpt
	@@ -0,0 +1,28 @@
	+--TEST--
	+Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
	+--SKIPIF--
	+<?php
	+if (!extension_loaded('wddx')) {
	+ die('skip. wddx not available');
	+}
	+?>
	+--FILE--
	+<?php
	+
	+$xml = <<<XML
	+<?xml version='1.0'?>
	+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
	+<wddxPacket version="1.0">
	+ <var name="XXXX">
	+ <boolean value="1">
	+ <dateTime>1998-06-12T04:32:12+00</dateTime>
	+ </boolean>
	+ </var>
	+</wddxPacket>
	+XML;
	+
	+$array = wddx_deserialize($xml);
	+var_dump($array);
	+?>
	+--EXPECT--
	+NULL
	\ No newline at end of file
	diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
	index 1b2d103..d7bd295 100644
	--- a/ext/wddx/wddx.c
	+++ b/ext/wddx/wddx.c
	@@ -946,10 +946,10 @@ static void php_wddx_pop_element(void user_data, const XML_Char name)
	if (!ent1->data) {
	if (stack->top > 1) {
	stack->top--;
	+ efree(ent1);
	} else {
	stack->done = 1;
	}
	- efree(ent1);
	return;
	}

	@@ -988,7 +988,7 @@ static void php_wddx_pop_element(void user_data, const XML_Char name)
	wddx_stack_top(stack, (void**)&ent2);

	/* if non-existent field */
	- if (ent2->type == ST_FIELD && ent2->data == NULL) {
	+ if (ent2->data == NULL) {
	zval_ptr_dtor(&ent1->data);
	efree(ent1);
	return;
	@@ -1179,9 +1179,13 @@ int php_wddx_deserialize_ex(char value, int vallen, zval return_value)

	if (stack.top == 1) {
	wddx_stack_top(&stack, (void**)&ent);
	+ if(ent->data == NULL) {
	+ retval = FAILURE;
	+ } else {
	return_value = (ent->data);
	zval_copy_ctor(return_value);
	retval = SUCCESS;
	+ }
	} else {
	retval = FAILURE;
	}