-
-
Save anonymous/d7de0d94b79135f0d9c04a7e2b2084bb to your computer and use it in GitHub Desktop.
Patch for 72340
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit a44c89e8af7c2410f4bfc5e097be2a5d0639a60c | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Jun 12 23:18:23 2016 -0700 | |
Fix bug #72340: Double Free Courruption in wddx_deserialize | |
diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt | |
new file mode 100644 | |
index 0000000..8d694ca | |
--- /dev/null | |
+++ b/ext/wddx/tests/bug72340.phpt | |
@@ -0,0 +1,24 @@ | |
+--TEST-- | |
+Bug #72340: Double Free Courruption in wddx_deserialize | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded("wddx")) print "skip"; | |
+?> | |
+--FILE-- | |
+<?php | |
+$xml = <<<EOF | |
+<?xml version='1.0' ?> | |
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> | |
+<wddxPacket version='1.0'> | |
+ <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var> | |
+ <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ"> | |
+ </var></var></var> | |
+ </array> | |
+</wddxPacket> | |
+EOF; | |
+$array = wddx_deserialize($xml); | |
+var_dump($array); | |
+?> | |
+--EXPECT-- | |
+array(0) { | |
+} | |
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c | |
index da34246..311d6aa 100644 | |
--- a/ext/wddx/wddx.c | |
+++ b/ext/wddx/wddx.c | |
@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) | |
break; | |
case ST_BOOLEAN: | |
+ if(!ent->data) { | |
+ break; | |
+ } | |
if (!strcmp(s, "true")) { | |
Z_LVAL_P(ent->data) = 1; | |
} else if (!strcmp(s, "false")) { | |
@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) | |
zval_ptr_dtor(&ent->data); | |
if (ent->varname) { | |
efree(ent->varname); | |
+ ent->varname = NULL; | |
} | |
ent->data = NULL; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment