-
-
Save anonymous/7e603b8b2c76cd6eed9a33a20a9525d4 to your computer and use it in GitHub Desktop.
Patch for 72790
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit a14fdb9746262549bbbb96abb87338bacd147e1b | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Wed Aug 10 23:43:56 2016 -0700 | |
Fix for bug #72790 and bug #72799 | |
diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt | |
new file mode 100644 | |
index 0000000..a60524b | |
--- /dev/null | |
+++ b/ext/wddx/tests/bug72790.phpt | |
@@ -0,0 +1,35 @@ | |
+--TEST-- | |
+Bug 72790: wddx_deserialize null dereference with invalid xml | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('wddx')) { | |
+ die('skip. wddx not available'); | |
+} | |
+?> | |
+--FILE-- | |
+<?php | |
+ | |
+$xml = <<< XML | |
+<?xml version='1.0' ?> | |
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> | |
+<wddxPacket version='1.0'> | |
+ |array> | |
+ <var name="XXXX"> | |
+ <boolean value="this"> | |
+ </boolean> | |
+ </var> | |
+ <var name="YYYY"> | |
+ <var name="UUUU"> | |
+ <var name="EZEZ"> | |
+ </var> | |
+ </var> | |
+ </var> | |
+ </array> | |
+</wddxPacket> | |
+XML; | |
+ | |
+$array = wddx_deserialize($xml); | |
+var_dump($array); | |
+?> | |
+--EXPECT-- | |
+NULL | |
\ No newline at end of file | |
diff --git a/ext/wddx/tests/bug72799.phpt b/ext/wddx/tests/bug72799.phpt | |
new file mode 100644 | |
index 0000000..5861d55 | |
--- /dev/null | |
+++ b/ext/wddx/tests/bug72799.phpt | |
@@ -0,0 +1,28 @@ | |
+--TEST-- | |
+Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('wddx')) { | |
+ die('skip. wddx not available'); | |
+} | |
+?> | |
+--FILE-- | |
+<?php | |
+ | |
+$xml = <<<XML | |
+<?xml version='1.0'?> | |
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> | |
+<wddxPacket version="1.0"> | |
+ <var name="XXXX"> | |
+ <boolean value="1"> | |
+ <dateTime>1998-06-12T04:32:12+00</dateTime> | |
+ </boolean> | |
+ </var> | |
+</wddxPacket> | |
+XML; | |
+ | |
+$array = wddx_deserialize($xml); | |
+var_dump($array); | |
+?> | |
+--EXPECT-- | |
+NULL | |
\ No newline at end of file | |
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c | |
index 1b2d103..d7bd295 100644 | |
--- a/ext/wddx/wddx.c | |
+++ b/ext/wddx/wddx.c | |
@@ -946,10 +946,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) | |
if (!ent1->data) { | |
if (stack->top > 1) { | |
stack->top--; | |
+ efree(ent1); | |
} else { | |
stack->done = 1; | |
} | |
- efree(ent1); | |
return; | |
} | |
@@ -988,7 +988,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) | |
wddx_stack_top(stack, (void**)&ent2); | |
/* if non-existent field */ | |
- if (ent2->type == ST_FIELD && ent2->data == NULL) { | |
+ if (ent2->data == NULL) { | |
zval_ptr_dtor(&ent1->data); | |
efree(ent1); | |
return; | |
@@ -1179,9 +1179,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value) | |
if (stack.top == 1) { | |
wddx_stack_top(&stack, (void**)&ent); | |
+ if(ent->data == NULL) { | |
+ retval = FAILURE; | |
+ } else { | |
*return_value = *(ent->data); | |
zval_copy_ctor(return_value); | |
retval = SUCCESS; | |
+ } | |
} else { | |
retval = FAILURE; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment