summaryrefslogtreecommitdiffstats
path: root/bug72340.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug72340.patch')
-rw-r--r--bug72340.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/bug72340.patch b/bug72340.patch
new file mode 100644
index 0000000..39646e5
--- /dev/null
+++ b/bug72340.patch
@@ -0,0 +1,66 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From a44c89e8af7c2410f4bfc5e097be2a5d0639a60c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 12 Jun 2016 23:18:23 -0700
+Subject: [PATCH] Fix bug #72340: Double Free Courruption in wddx_deserialize
+
+---
+ ext/wddx/tests/bug72340.phpt | 24 ++++++++++++++++++++++++
+ ext/wddx/wddx.c | 4 ++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 ext/wddx/tests/bug72340.phpt
+
+diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt
+new file mode 100644
+index 0000000..8d694ca
+--- /dev/null
++++ b/ext/wddx/tests/bug72340.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++Bug #72340: Double Free Courruption in wddx_deserialize
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++$xml = <<<EOF
++<?xml version='1.0' ?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++ <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
++ <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
++ </var></var></var>
++ </array>
++</wddxPacket>
++EOF;
++$array = wddx_deserialize($xml);
++var_dump($array);
++?>
++--EXPECT--
++array(0) {
++}
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index da34246..311d6aa 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
+ break;
+
+ case ST_BOOLEAN:
++ if(!ent->data) {
++ break;
++ }
+ if (!strcmp(s, "true")) {
+ Z_LVAL_P(ent->data) = 1;
+ } else if (!strcmp(s, "false")) {
+@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
+ zval_ptr_dtor(&ent->data);
+ if (ent->varname) {
+ efree(ent->varname);
++ ent->varname = NULL;
+ }
+ ent->data = NULL;
+ }