1 files changed, 62 insertions, 0 deletions

diff --git a/bug72860.patch b/bug72860.patch
new file mode 100644
index 0000000..e26cae0
--- /dev/null
+++ b/bug72860.patch
@@ -0,0 +1,62 @@
+Backported from 5.6.26 by Remi.
+
+
+From 780daee62b55995a10f8e849159eff0a25bacb9d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Sep 2016 23:42:31 -0700
+Subject: [PATCH] Fix bug #72860: wddx_deserialize use-after-free
+
+---
+ ext/wddx/tests/bug72860.phpt | 27 +++++++++++++++++++++++++++
+ ext/wddx/wddx.c              |  3 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 ext/wddx/tests/bug72860.phpt
+
+diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
+new file mode 100644
+index 0000000..6385457
+--- /dev/null
++++ b/ext/wddx/tests/bug72860.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++Bug #72860: wddx_deserialize use-after-free
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++    die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml=<<<XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++       <recordset fieldNames='F'>
++               <field name='F'>
++       </recordset>
++</wddxPacket>
++XML;
++
++var_dump(wddx_deserialize($xml));
++?>
++DONE
++--EXPECT--
++NULL
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index d7bd295..b02d2f0 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -232,7 +232,8 @@ static int wddx_stack_destroy(wddx_stack *stack)
+ 
+ 	if (stack->elements) {
+ 		for (i = 0; i < stack->top; i++) {
+-			if (((st_entry *)stack->elements[i])->data)	{
++			if (((st_entry *)stack->elements[i])->data
++					&& ((st_entry *)stack->elements[i])->type != ST_FIELD)	{
+ 				zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
+ 			}
+ 			if (((st_entry *)stack->elements[i])->varname) {