1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
Backported from 5.5.37 for 5.4 by Remi Collet
From a44c89e8af7c2410f4bfc5e097be2a5d0639a60c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 12 Jun 2016 23:18:23 -0700
Subject: [PATCH] Fix bug #72340: Double Free Courruption in wddx_deserialize
---
ext/wddx/tests/bug72340.phpt | 24 ++++++++++++++++++++++++
ext/wddx/wddx.c | 4 ++++
2 files changed, 28 insertions(+)
create mode 100644 ext/wddx/tests/bug72340.phpt
diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt
new file mode 100644
index 0000000..8d694ca
--- /dev/null
+++ b/ext/wddx/tests/bug72340.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #72340: Double Free Courruption in wddx_deserialize
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+ <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
+ <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
+ </var></var></var>
+ </array>
+</wddxPacket>
+EOF;
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index da34246..311d6aa 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
break;
case ST_BOOLEAN:
+ if(!ent->data) {
+ break;
+ }
if (!strcmp(s, "true")) {
Z_LVAL_P(ent->data) = 1;
} else if (!strcmp(s, "false")) {
@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
zval_ptr_dtor(&ent->data);
if (ent->varname) {
efree(ent->varname);
+ ent->varname = NULL;
}
ent->data = NULL;
}
|
