2 files changed, 46 insertions, 4 deletions

diff --git a/ext/wddx/tests/bug72749.phpt b/ext/wddx/tests/bug72749.phpt
new file mode 100644
index 0000000000..ee17d0f229
--- /dev/null
+++ b/ext/wddx/tests/bug72749.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #72749: wddx_deserialize allows illegal memory access
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+$xml = <<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+<header/>
+        <data>
+                <struct>
+                     <var name='aDateTime3'>
+                         <dateTime>2\r2004-09-10T05:52:49+00</dateTime>
+                     </var>
+                 </struct>
+        </data>
+</wddxPacket>
+XML;
+
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(1) {
+  ["aDateTime3"]=>
+  string(24) "2
+2004-09-10T05:52:49+00"
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 40b41ba373..a11efe66de 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1038,14 +1038,22 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 			case ST_DATETIME: {
 				char *tmp;
 
-				tmp = emalloc(len + 1);
-				memcpy(tmp, (char *)s, len);
+				if (Z_TYPE(ent->data) == IS_STRING) {
+					tmp = safe_emalloc(Z_STRLEN(ent->data), 1, (size_t)len + 1);
+					memcpy(tmp, Z_STRVAL(ent->data), Z_STRLEN(ent->data));
+					memcpy(tmp + Z_STRLEN(ent->data), s, len);
+					len += Z_STRLEN(ent->data);
+					zval_dtor(&ent->data);
+				} else {
+					tmp = emalloc(len + 1);
+					memcpy(tmp, (char *)s, len);
+				}
 				tmp[len] = '\0';
 
-				Z_LVAL(ent->data) = php_parse_date(tmp, NULL);
+				ZVAL_LONG(&ent->data, php_parse_date(tmp, NULL));
 				/* date out of range < 1969 or > 2038 */
 				if (Z_LVAL(ent->data) == -1) {
-					ZVAL_STRINGL(&ent->data, (char *)s, len);
+					ZVAL_STRINGL(&ent->data, (char *)tmp, len);
 				}
 				efree(tmp);
 			}