Skip to content

Instantly share code, notes, and snippets.

/74145.diff Secret

Created July 2, 2017 21:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/8e3f974e5a8913a66ae1a6f966ba351f to your computer and use it in GitHub Desktop.
Save anonymous/8e3f974e5a8913a66ae1a6f966ba351f to your computer and use it in GitHub Desktop.
Download ZIP
Patch for 74145
Raw
74145.diff
commit 36ac7722d93ee69d69e986b3102922fd529a3dfd
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Jul 2 14:25:54 2017 -0700
Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
diff --git a/ext/wddx/tests/bug74145.phpt b/ext/wddx/tests/bug74145.phpt
new file mode 100644
index 0000000..a99a117
--- /dev/null
+++ b/ext/wddx/tests/bug74145.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$data = file_get_contents(__DIR__ . '/bug74145.xml');
+$wddx = wddx_deserialize($data);
+var_dump($wddx);
+?>
+DONE
+--EXPECTF--
+NULL
+DONE
\ No newline at end of file
diff --git a/ext/wddx/tests/bug74145.xml b/ext/wddx/tests/bug74145.xml
new file mode 100644
index 0000000..e5d35fb
--- /dev/null
+++ b/ext/wddx/tests/bug74145.xml
@@ -0,0 +1,9 @@
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <var Name="name">
+ <boolean ></boolean>
+ </var>
+ </array>
+ </wddxPacket>
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 72d2408..41fdd3d 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -799,22 +799,19 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
} else if (!strcmp(name, EL_BOOLEAN)) {
int i;
- if (atts) for (i = 0; atts[i]; i++) {
- if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
- ent.type = ST_BOOLEAN;
- SET_STACK_VARNAME;
-
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
+ if (atts) for (i = 0; atts[i]; i++) {
+ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
} else {
- ent.type = ST_BOOLEAN;
- SET_STACK_VARNAME;
- ZVAL_FALSE(&ent.data);
+ ZVAL_FALSE(ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment