Skip to content

Instantly share code, notes, and snippets.

/72750.diff Secret

Created August 7, 2016 23:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/f149d1a8226fb48d6a59911d7f08f617 to your computer and use it in GitHub Desktop.
Save anonymous/f149d1a8226fb48d6a59911d7f08f617 to your computer and use it in GitHub Desktop.
Download ZIP
Patch for 72750
Raw
72750.diff
commit 6930a1d12c47aa1d2675837852910d177b0ceb11
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Aug 7 16:26:52 2016 -0700
Fix bug #72750: wddx_deserialize null dereference
diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt
new file mode 100644
index 0000000..3a6794d
--- /dev/null
+++ b/ext/wddx/tests/bug72750.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72750: wddx_deserialize null dereference
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+ die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<< XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <var name='aBinary'>
+ <binary length='11'>\\tYmluYXJRhdGE=</binary>
+ </var>
+ </struct>
+ </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+ ["aBinary"]=>
+ string(0) ""
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index faadbfe..1b2d103 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -959,8 +959,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
STR_FREE(Z_STRVAL_P(ent1->data));
+ if (new_str) {
Z_STRVAL_P(ent1->data) = new_str;
Z_STRLEN_P(ent1->data) = new_len;
+ } else {
+ ZVAL_EMPTY_STRING(ent1->data);
+ }
}
/* Call __wakeup() method on the object. */
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment