Fix bug #73631 - Invalid read when wddx decodes empty boolean element

3 files changed, 28 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index bdefade47c..a5c3bd1e24 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug #68447 (grapheme_extract take an extra trailing character). 
     (SATŌ Kentarō)
 
+- WDDX:
+  . Fixed bug #73631 (Memory leak due to invalid wddx stack processing). 
+    (bughunter at fosec dot vn).
+
 08 Dec 2016, PHP 5.6.29
 
 - Mbstring:
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
new file mode 100644
index 0000000000..5e37ae8269
--- /dev/null
+++ b/ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73631 (Memory leak due to invalid wddx stack processing)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+<number>1234</number>
+<binary><boolean/></binary>
+</wddxPacket>
+EOF;
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+?>
+--EXPECTF--
+int(1234)
+
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 069ea122ce..0cee16b9ad 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -811,6 +811,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
 				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
 				break;
 			}
+		} else {
+			ent.type = ST_BOOLEAN;
+			SET_STACK_VARNAME;
+			ZVAL_FALSE(&ent.data);
+			wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 		}
 	} else if (!strcmp(name, EL_NULL)) {
 		ent.type = ST_NULL;