diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-05 23:42:31 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-09-12 17:33:32 +0200 |
commit | 060ab26cfe2f25bc59eb2de593e11cea84ef70b0 (patch) | |
tree | f7848f7fae39f5f9bc9ab16e3425878af6307eaf | |
parent | 92db16e456ed346d0526c840750213317ac0f067 (diff) | |
download | php-git-060ab26cfe2f25bc59eb2de593e11cea84ef70b0.tar.gz |
Fix bug #72860: wddx_deserialize use-after-free
(cherry picked from commit ee552853ff4d72f626102025133e2cd1575043ee)
Conflicts:
ext/wddx/wddx.c
-rw-r--r-- | ext/wddx/tests/bug72860.phpt | 27 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 5 |
2 files changed, 31 insertions, 1 deletions
diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt new file mode 100644 index 0000000000..6385457e8e --- /dev/null +++ b/ext/wddx/tests/bug72860.phpt @@ -0,0 +1,27 @@ +--TEST-- +Bug #72860: wddx_deserialize use-after-free +--SKIPIF-- +<?php +if (!extension_loaded('wddx')) { + die('skip. wddx not available'); +} +?> +--FILE-- +<?php + +$xml=<<<XML +<?xml version='1.0'?> +<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> +<wddxPacket version='1.0'> + <recordset fieldNames='F'> + <field name='F'> + </recordset> +</wddxPacket> +XML; + +var_dump(wddx_deserialize($xml)); +?> +DONE +--EXPECT-- +NULL +DONE
\ No newline at end of file diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 3a6835fbb6..ecbe153814 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -230,7 +230,10 @@ static int wddx_stack_destroy(wddx_stack *stack) if (stack->elements) { for (i = 0; i < stack->top; i++) { - zval_ptr_dtor(&((st_entry *)stack->elements[i])->data); + if (Z_TYPE(((st_entry *)stack->elements[i])->data) != IS_UNDEF + && ((st_entry *)stack->elements[i])->type != ST_FIELD) { + zval_ptr_dtor(&((st_entry *)stack->elements[i])->data); + } if (((st_entry *)stack->elements[i])->varname) { efree(((st_entry *)stack->elements[i])->varname); } |