smalyshev/gist:20c9459a434c1597d46d Secret

## gistfile1.txt
commit 1785d2b805f64eaaacf98c14c9e13107bf085ab1
Author: Stanislav Malyshev <stas@php.net>
Date:   Mon Dec 28 12:42:44 2015 -0800

    Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability

diff --git a/NEWS b/NEWS
index f29a710..67fbcae 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
   . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index
     Out of Bounds). (emmanuel dot law at gmail dot com).

+- WDDX:
+  . Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion
+    Vulnerability). (taoguangchen at icloud dot com)
+
 01 Oct 2015, PHP 5.5.30

 - Phar:
diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt
new file mode 100644
index 0000000..9c7e09b
--- /dev/null
+++ b/ext/wddx/tests/bug70741.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'wddx');
+session_start();
+
+$hashtable = str_repeat('A', 66);
+$wddx = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+		<string>$hashtable</string>
+	</data>
+</wddxPacket>";
+session_decode($wddx);
+?>
+DONE
+--EXPECTF--
+
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+DONE
\ No newline at end of file
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 45beaec..8017620 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
 	MAKE_STD_ZVAL(retval);

 	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
-
+		if (Z_TYPE_P(retval) != IS_ARRAY) {
+			zval_ptr_dtor(&retval);
+			return FAILURE;
+		}
 		for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
 			 zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
 			 zend_hash_move_forward(Z_ARRVAL_P(retval))) {
	commit 1785d2b805f64eaaacf98c14c9e13107bf085ab1
	Author: Stanislav Malyshev <stas@php.net>
	Date: Mon Dec 28 12:42:44 2015 -0800

	Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability

	diff --git a/NEWS b/NEWS
	index f29a710..67fbcae 100644
	--- a/NEWS
	+++ b/NEWS
	@@ -11,6 +11,10 @@ PHP NEWS
	. Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index
	Out of Bounds). (emmanuel dot law at gmail dot com).

	+- WDDX:
	+ . Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion
	+ Vulnerability). (taoguangchen at icloud dot com)
	+
	01 Oct 2015, PHP 5.5.30

	- Phar:
	diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt
	new file mode 100644
	index 0000000..9c7e09b
	--- /dev/null
	+++ b/ext/wddx/tests/bug70741.phpt
	@@ -0,0 +1,26 @@
	+--TEST--
	+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
	+--SKIPIF--
	+<?php
	+if (!extension_loaded("wddx")) print "skip";
	+?>
	+--FILE--
	+<?php
	+ini_set('session.serialize_handler', 'wddx');
	+session_start();
	+
	+$hashtable = str_repeat('A', 66);
	+$wddx = "<?xml version='1.0'?>
	+<wddxPacket version='1.0'>
	+<header/>
	+ <data>
	+ <string>$hashtable</string>
	+ </data>
	+</wddxPacket>";
	+session_decode($wddx);
	+?>
	+DONE
	+--EXPECTF--
	+
	+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
	+DONE
	\ No newline at end of file
	diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
	index 45beaec..8017620 100644
	--- a/ext/wddx/wddx.c
	+++ b/ext/wddx/wddx.c
	@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
	MAKE_STD_ZVAL(retval);

	if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
	-
	+ if (Z_TYPE_P(retval) != IS_ARRAY) {
	+ zval_ptr_dtor(&retval);
	+ return FAILURE;
	+ }
	for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
	zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
	zend_hash_move_forward(Z_ARRVAL_P(retval))) {