summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2017-07-02 14:25:54 -0700
committerStanislav Malyshev <stas@php.net>2017-07-04 19:06:42 -0700
commit2aae60461c2ff7b7fbcdd194c789ac841d0747d7 (patch)
tree209c1b4e484da3ca0729bbed52cd51fec294c951
parentf8c514ba6b7962a219296a837b2dbc22f749e736 (diff)
downloadphp-git-2aae60461c2ff7b7fbcdd194c789ac841d0747d7.tar.gz
Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
Diffstat
-rw-r--r--ext/wddx/tests/bug74145.phpt16
-rw-r--r--ext/wddx/tests/bug74145.xml9
-rw-r--r--ext/wddx/wddx.c15
3 files changed, 31 insertions, 9 deletions
diff --git a/ext/wddx/tests/bug74145.phpt b/ext/wddx/tests/bug74145.phpt
new file mode 100644
index 0000000000..a99a1178ca
--- /dev/null
+++ b/ext/wddx/tests/bug74145.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$data = file_get_contents(__DIR__ . '/bug74145.xml');
+$wddx = wddx_deserialize($data);
+var_dump($wddx);
+?>
+DONE
+--EXPECTF--
+NULL
+DONE \ No newline at end of file
diff --git a/ext/wddx/tests/bug74145.xml b/ext/wddx/tests/bug74145.xml
new file mode 100644
index 0000000000..e5d35fb0a4
--- /dev/null
+++ b/ext/wddx/tests/bug74145.xml
@@ -0,0 +1,9 @@
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <var Name="name">
+ <boolean ></boolean>
+ </var>
+ </array>
+ </wddxPacket>
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 72d2408c1f..41fdd3d795 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -799,22 +799,19 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
} else if (!strcmp(name, EL_BOOLEAN)) {
int i;
+ ALLOC_ZVAL(ent.data);
+ INIT_PZVAL(ent.data);
+ Z_TYPE_P(ent.data) = IS_BOOL;
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
if (atts) for (i = 0; atts[i]; i++) {
if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
- ent.type = ST_BOOLEAN;
- SET_STACK_VARNAME;
-
- ALLOC_ZVAL(ent.data);
- INIT_PZVAL(ent.data);
- Z_TYPE_P(ent.data) = IS_BOOL;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
} else {
- ent.type = ST_BOOLEAN;
- SET_STACK_VARNAME;
- ZVAL_FALSE(&ent.data);
+ ZVAL_FALSE(ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {
View Lorry Controller Status