diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-05 23:42:31 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:04:23 -0700 |
commit | b88393f08a558eec14964a55d3c680fe67407712 (patch) | |
tree | c6df93c81020c1b46b4007f9824985f53085d2a1 /ext/wddx | |
parent | 65c8caafa83ca78a8b2fa22257b4dea85b6114e5 (diff) | |
download | php-git-b88393f08a558eec14964a55d3c680fe67407712.tar.gz |
Fix bug #72860: wddx_deserialize use-after-free
Diffstat (limited to 'ext/wddx')
-rw-r--r-- | ext/wddx/tests/bug72860.phpt | 27 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 3 |
2 files changed, 29 insertions, 1 deletions
diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt new file mode 100644 index 0000000000..6385457e8e --- /dev/null +++ b/ext/wddx/tests/bug72860.phpt @@ -0,0 +1,27 @@ +--TEST-- +Bug #72860: wddx_deserialize use-after-free +--SKIPIF-- +<?php +if (!extension_loaded('wddx')) { + die('skip. wddx not available'); +} +?> +--FILE-- +<?php + +$xml=<<<XML +<?xml version='1.0'?> +<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> +<wddxPacket version='1.0'> + <recordset fieldNames='F'> + <field name='F'> + </recordset> +</wddxPacket> +XML; + +var_dump(wddx_deserialize($xml)); +?> +DONE +--EXPECT-- +NULL +DONE
\ No newline at end of file diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index d7bd295832..b02d2f07de 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -230,7 +230,8 @@ static int wddx_stack_destroy(wddx_stack *stack) if (stack->elements) { for (i = 0; i < stack->top; i++) { - if (((st_entry *)stack->elements[i])->data) { + if (((st_entry *)stack->elements[i])->data + && ((st_entry *)stack->elements[i])->type != ST_FIELD) { zval_ptr_dtor(&((st_entry *)stack->elements[i])->data); } if (((st_entry *)stack->elements[i])->varname) { |