Fix bug #72750: wddx_deserialize null dereference

2 files changed, 40 insertions, 2 deletions

diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt
new file mode 100644
index 0000000000..3a6794df28
--- /dev/null
+++ b/ext/wddx/tests/bug72750.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72750: wddx_deserialize null dereference
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml = <<< XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+        <data>
+                <struct>
+                     <var name='aBinary'>
+                         <binary length='11'>\\tYmluYXJRhdGE=</binary>
+                     </var>
+                 </struct>
+        </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+  ["aBinary"]=>
+  string(0) ""
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index faadbfe1df..1b2d103af1 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -959,8 +959,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 
 			new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
 			STR_FREE(Z_STRVAL_P(ent1->data));
-			Z_STRVAL_P(ent1->data) = new_str;
-			Z_STRLEN_P(ent1->data) = new_len;
+			if (new_str) {
+				Z_STRVAL_P(ent1->data) = new_str;
+				Z_STRLEN_P(ent1->data) = new_len;
+			} else {
+				ZVAL_EMPTY_STRING(ent1->data);
+			}
 		}
 
 		/* Call __wakeup() method on the object. */