summaryrefslogtreecommitdiffstats
path: root/bug72750.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug72750.patch')
-rw-r--r--bug72750.patch72
1 files changed, 72 insertions, 0 deletions
diff --git a/bug72750.patch b/bug72750.patch
new file mode 100644
index 0000000..5af5a9b
--- /dev/null
+++ b/bug72750.patch
@@ -0,0 +1,72 @@
+Backported from 5.6.25 by Remi.
+
+From 82b95bb758ac707a2372f2edaed70589b6f374d3 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Aug 2016 16:26:52 -0700
+Subject: [PATCH] Fix bug #72750: wddx_deserialize null dereference
+
+---
+ ext/wddx/tests/bug72750.phpt | 34 ++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 8 ++++++--
+ 2 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 ext/wddx/tests/bug72750.phpt
+
+diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt
+new file mode 100644
+index 0000000..3a6794d
+--- /dev/null
++++ b/ext/wddx/tests/bug72750.phpt
+@@ -0,0 +1,34 @@
++--TEST--
++Bug #72750: wddx_deserialize null dereference
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml = <<< XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++<header/>
++ <data>
++ <struct>
++ <var name='aBinary'>
++ <binary length='11'>\\tYmluYXJRhdGE=</binary>
++ </var>
++ </struct>
++ </data>
++</wddxPacket>
++XML;
++
++$array = wddx_deserialize($xml);
++var_dump($array);
++?>
++--EXPECT--
++array(1) {
++ ["aBinary"]=>
++ string(0) ""
++}
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index faadbfe1..1b2d103 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -952,8 +952,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+
+ new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
+ STR_FREE(Z_STRVAL_P(ent1->data));
+- Z_STRVAL_P(ent1->data) = new_str;
+- Z_STRLEN_P(ent1->data) = new_len;
++ if (new_str) {
++ Z_STRVAL_P(ent1->data) = new_str;
++ Z_STRLEN_P(ent1->data) = new_len;
++ } else {
++ ZVAL_EMPTY_STRING(ent1->data);
++ }
+ }
+
+ /* Call __wakeup() method on the object. */
generated by cgit (git 2.34.1) at 2024-04-27 07:24:39 +0000