Backported from 5.5.37 for 5.4 by Remi Collet


From a44c89e8af7c2410f4bfc5e097be2a5d0639a60c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 12 Jun 2016 23:18:23 -0700
Subject: [PATCH] Fix bug #72340: Double Free Courruption in wddx_deserialize

---
 ext/wddx/tests/bug72340.phpt | 24 ++++++++++++++++++++++++
 ext/wddx/wddx.c              |  4 ++++
 2 files changed, 28 insertions(+)
 create mode 100644 ext/wddx/tests/bug72340.phpt

diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt
new file mode 100644
index 0000000..8d694ca
--- /dev/null
+++ b/ext/wddx/tests/bug72340.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #72340: Double Free Courruption in wddx_deserialize
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+	<array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
+		<var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
+		</var></var></var>
+	</array>
+</wddxPacket>
+EOF;
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index da34246..311d6aa 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 				break;
 
 			case ST_BOOLEAN:
+				if(!ent->data) {
+					break;
+				}
 				if (!strcmp(s, "true")) {
 					Z_LVAL_P(ent->data) = 1;
 				} else if (!strcmp(s, "false")) {
@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 					zval_ptr_dtor(&ent->data);
 					if (ent->varname) {
 						efree(ent->varname);
+						ent->varname = NULL;
 					}
 					ent->data = NULL;
 				}