Backported from 5.5 for 5.4 by Remi Collet

From 4df84a648ec62b17bd8f8359452f8defd1026167 Mon Sep 17 00:00:00 2001
From: Julien Pauli <jpauli@php.net>
Date: Tue, 22 Dec 2015 14:28:19 +0100
Subject: [PATCH] Fixed #70728

---
 ext/xmlrpc/tests/bug70728.phpt | 30 ++++++++++++++++++++++++++++++
 ext/xmlrpc/xmlrpc-epi-php.c    | 13 +++++++++++--
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug70728.phpt

diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt
new file mode 100644
index 0000000..5510c33
--- /dev/null
+++ b/ext/xmlrpc/tests/bug70728.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$obj = new stdClass;
+$obj->xmlrpc_type = 'base64';
+$obj->scalar = 0x1122334455;
+var_dump(xmlrpc_encode($obj));
+var_dump($obj);
+?>
+--EXPECTF--	
+string(135) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <base64>NzM1ODgyMjkyMDU=&#10;</base64>
+ </value>
+</param>
+</params>
+"
+object(stdClass)#1 (2) {
+  ["xmlrpc_type"]=>
+  string(6) "base64"
+  ["scalar"]=>
+  int(73588229205)
+}
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 613892c..6c76434 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -532,7 +532,16 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
 						xReturn = XMLRPC_CreateValueEmpty();
 						XMLRPC_SetValueID(xReturn, key, 0);
 					} else {
-						xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
+						if (Z_TYPE_P(val) != IS_STRING) {
+							zval *newvalue;
+							ALLOC_INIT_ZVAL(newvalue);
+							MAKE_COPY_ZVAL(&val, newvalue);
+							convert_to_string(newvalue);
+							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
+							zval_ptr_dtor(&newvalue);
+						} else {
+							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
+						}
 					}
 					break;
 				case xmlrpc_datetime:
@@ -1452,7 +1461,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval** newvalue) /* {{{ */
 		if (newvalue) {
 			zval** val;
 
-			if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
+			if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
 				if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
 					*newvalue = *val;
 				}