summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2016-12-05 21:58:55 -0800
committerAnatol Belski <ab@php.net>2016-12-06 16:22:52 +0100
commita5c493c339ec8dfd2c8f0e41a5ef6d7129cdbd31 (patch)
tree283785d31d7f8b5b9567d3f8b97f62e15545e6ba
parent254d5017c6117c7b8b2c0d70cf4102b21f3a5eae (diff)
downloadphp-git-a5c493c339ec8dfd2c8f0e41a5ef6d7129cdbd31.tar.gz
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6: Fix bug #73631 - Invalid read when wddx decodes empty boolean element (cherry picked from commit 6292fe84d314bdb8504968084666a683983f8044)
Diffstat
-rw-r--r--ext/wddx/tests/bug73631.phpt19
-rw-r--r--ext/wddx/wddx.c5
2 files changed, 24 insertions, 0 deletions
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
new file mode 100644
index 0000000000..5e37ae8269
--- /dev/null
+++ b/ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73631 (Memory leak due to invalid wddx stack processing)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+<number>1234</number>
+<binary><boolean/></binary>
+</wddxPacket>
+EOF;
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+?>
+--EXPECTF--
+int(1234)
+
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index b188e8929e..662b957369 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -772,6 +772,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
php_wddx_process_data(user_data, atts[i+1], strlen((char *)atts[i+1]));
break;
}
+ } else {
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
+ ZVAL_FALSE(&ent.data);
+ wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp((char *)name, EL_NULL)) {
ent.type = ST_NULL;
View Lorry Controller Status