1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
Backported from 5.6.29 by Remi.
From 66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 5 Dec 2016 21:40:55 -0800
Subject: [PATCH] Fix bug #73631 - Invalid read when wddx decodes empty boolean
element
---
ext/wddx/tests/bug73631.phpt | 19 +++++++++++++++++++
ext/wddx/wddx.c | 5 +++++
2 files changed, 24 insertions(+)
create mode 100644 ext/wddx/tests/bug73631.phpt
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
new file mode 100644
index 0000000..5e37ae8
--- /dev/null
+++ b/ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73631 (Memory leak due to invalid wddx stack processing)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+<number>1234</number>
+<binary><boolean/></binary>
+</wddxPacket>
+EOF;
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+?>
+--EXPECTF--
+int(1234)
+
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 069ea12..0cee16b 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -805,6 +805,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
+ } else {
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
+ ZVAL_FALSE(&ent.data);
+ wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {
ent.type = ST_NULL;
From 331db73eab1008b30069137f27ebd1e7a42de28a Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 5 Dec 2016 22:32:59 -0800
Subject: [PATCH] This still leaks memory, I don't have enough knowledge in
WDDX code to fix them :(
---
ext/wddx/tests/bug73631.phpt | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
index 5e37ae8..880ada5 100644
--- a/ext/wddx/tests/bug73631.phpt
+++ b/ext/wddx/tests/bug73631.phpt
@@ -2,6 +2,8 @@
Bug #73631 (Memory leak due to invalid wddx stack processing)
--SKIPIF--
<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--XFAIL--
+Still has memory leaks, not sure how to fix them.
--FILE--
<?php
$xml = <<<EOF
@@ -16,4 +18,3 @@ var_dump($wddx);
?>
--EXPECTF--
int(1234)
-
From e64d104a9b43bd48da5260b4a91d42f4a71fd1c4 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 6 Dec 2016 14:34:27 +0100
Subject: [PATCH] fix leak, take on 5.6
---
ext/wddx/tests/bug73631.phpt | 2 --
ext/wddx/wddx.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
index 880ada5..1fcde72d 100644
--- a/ext/wddx/tests/bug73631.phpt
+++ b/ext/wddx/tests/bug73631.phpt
@@ -2,8 +2,6 @@
Bug #73631 (Memory leak due to invalid wddx stack processing)
--SKIPIF--
<?php if (!extension_loaded("wddx")) print "skip"; ?>
---XFAIL--
-Still has memory leaks, not sure how to fix them.
--FILE--
<?php
$xml = <<<EOF
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 0cee16b..9394a59 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1050,6 +1050,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
} else {
zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL);
}
+ } else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) {
+ zval_ptr_dtor(&ent1->data);
}
efree(ent1);
} else {
From 864f3bda5aba2c1982e9bf77ecfd6901eb404a7e Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 6 Dec 2016 16:12:39 +0100
Subject: [PATCH] fix leak, take 2
---
ext/wddx/wddx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 9394a59..72d2408 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1050,7 +1050,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
} else {
zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL);
}
- } else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) {
+ } else if (!strcmp(name, EL_BINARY) && Z_STRLEN_P(ent1->data) < 1) {
zval_ptr_dtor(&ent1->data);
}
efree(ent1);
|