Backported from 5.6.29 by Remi. From 66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 5 Dec 2016 21:40:55 -0800 Subject: [PATCH] Fix bug #73631 - Invalid read when wddx decodes empty boolean element --- ext/wddx/tests/bug73631.phpt | 19 +++++++++++++++++++ ext/wddx/wddx.c | 5 +++++ 2 files changed, 24 insertions(+) create mode 100644 ext/wddx/tests/bug73631.phpt diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt new file mode 100644 index 0000000..5e37ae8 --- /dev/null +++ b/ext/wddx/tests/bug73631.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #73631 (Memory leak due to invalid wddx stack processing) +--SKIPIF-- + +--FILE-- + + +1234 + + +EOF; +$wddx = wddx_deserialize($xml); +var_dump($wddx); +?> +--EXPECTF-- +int(1234) + diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 069ea12..0cee16b 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -805,6 +805,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); break; } + } else { + ent.type = ST_BOOLEAN; + SET_STACK_VARNAME; + ZVAL_FALSE(&ent.data); + wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); } } else if (!strcmp(name, EL_NULL)) { ent.type = ST_NULL; From 331db73eab1008b30069137f27ebd1e7a42de28a Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 5 Dec 2016 22:32:59 -0800 Subject: [PATCH] This still leaks memory, I don't have enough knowledge in WDDX code to fix them :( --- ext/wddx/tests/bug73631.phpt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt index 5e37ae8..880ada5 100644 --- a/ext/wddx/tests/bug73631.phpt +++ b/ext/wddx/tests/bug73631.phpt @@ -2,6 +2,8 @@ Bug #73631 (Memory leak due to invalid wddx stack processing) --SKIPIF-- +--XFAIL-- +Still has memory leaks, not sure how to fix them. --FILE-- --EXPECTF-- int(1234) - From e64d104a9b43bd48da5260b4a91d42f4a71fd1c4 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 6 Dec 2016 14:34:27 +0100 Subject: [PATCH] fix leak, take on 5.6 --- ext/wddx/tests/bug73631.phpt | 2 -- ext/wddx/wddx.c | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt index 880ada5..1fcde72d 100644 --- a/ext/wddx/tests/bug73631.phpt +++ b/ext/wddx/tests/bug73631.phpt @@ -2,8 +2,6 @@ Bug #73631 (Memory leak due to invalid wddx stack processing) --SKIPIF-- ---XFAIL-- -Still has memory leaks, not sure how to fix them. --FILE-- data, sizeof(zval *), NULL); } + } else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) { + zval_ptr_dtor(&ent1->data); } efree(ent1); } else { From 864f3bda5aba2c1982e9bf77ecfd6901eb404a7e Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 6 Dec 2016 16:12:39 +0100 Subject: [PATCH] fix leak, take 2 --- ext/wddx/wddx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 9394a59..72d2408 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -1050,7 +1050,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) } else { zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL); } - } else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) { + } else if (!strcmp(name, EL_BINARY) && Z_STRLEN_P(ent1->data) < 1) { zval_ptr_dtor(&ent1->data); } efree(ent1);