diff options
author | Stanislav Malyshev <stas@php.net> | 2016-08-07 16:26:52 -0700 |
---|---|---|
committer | Ferenc Kovacs <tyra3l@gmail.com> | 2016-08-18 12:52:08 +0200 |
commit | 82b95bb758ac707a2372f2edaed70589b6f374d3 (patch) | |
tree | 38efbc709d7005a807dff9dd5d04195bfa9b17ae | |
parent | 7d5ca3b28d3c8f8cae6cd874740f18fd3eb5100e (diff) | |
download | php-git-82b95bb758ac707a2372f2edaed70589b6f374d3.tar.gz |
Fix bug #72750: wddx_deserialize null dereference
-rw-r--r-- | ext/wddx/tests/bug72750.phpt | 34 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 8 |
2 files changed, 40 insertions, 2 deletions
diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt new file mode 100644 index 0000000000..3a6794df28 --- /dev/null +++ b/ext/wddx/tests/bug72750.phpt @@ -0,0 +1,34 @@ +--TEST-- +Bug #72750: wddx_deserialize null dereference +--SKIPIF-- +<?php +if (!extension_loaded('wddx')) { + die('skip. wddx not available'); +} +?> +--FILE-- +<?php + +$xml = <<< XML +<?xml version='1.0'?> +<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> +<wddxPacket version='1.0'> +<header/> + <data> + <struct> + <var name='aBinary'> + <binary length='11'>\\tYmluYXJRhdGE=</binary> + </var> + </struct> + </data> +</wddxPacket> +XML; + +$array = wddx_deserialize($xml); +var_dump($array); +?> +--EXPECT-- +array(1) { + ["aBinary"]=> + string(0) "" +} diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index faadbfe1df..1b2d103af1 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -959,8 +959,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len); STR_FREE(Z_STRVAL_P(ent1->data)); - Z_STRVAL_P(ent1->data) = new_str; - Z_STRLEN_P(ent1->data) = new_len; + if (new_str) { + Z_STRVAL_P(ent1->data) = new_str; + Z_STRLEN_P(ent1->data) = new_len; + } else { + ZVAL_EMPTY_STRING(ent1->data); + } } /* Call __wakeup() method on the object. */ |