Fix incorrect merge

Forgot to amend the merge fixes...

2 files changed, 7 insertions, 6 deletions

diff --git a/NEWS b/NEWS
index babe2c23b0..cdf37e9007 100644
--- a/NEWS
+++ b/NEWS
@@ -133,6 +133,9 @@ PHP                                                                        NEWS
 
 - Wddx:
   . Fixed bug #72564 (boolean always deserialized as "true") (Remi)
+  . Fixed bug #72142 (WDDX Packet Injection Vulnerability in
+    wddx_serialize_value()). (Taoguang Chen)
+
 
 - Zip:
   . Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index ed96a0d4a4..d28cb7a0ac 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -360,18 +360,16 @@ void php_wddx_packet_start(wddx_packet *packet, char *comment, size_t comment_le
 {
 	php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
 	if (comment) {
-		char *escaped;
-		size_t escaped_len;
-		escaped = php_escape_html_entities(
-			comment, comment_len, &escaped_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+		zend_string *escaped = php_escape_html_entities(
+			comment, comment_len, 0, ENT_QUOTES, NULL);
 
 		php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
 		php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-		php_wddx_add_chunk_ex(packet, escaped, escaped_len);
+		php_wddx_add_chunk_ex(packet, ZSTR_VAL(escaped), ZSTR_LEN(escaped));
 		php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
 		php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
 
-		str_efree(escaped);
+		zend_string_release(escaped);
 	} else {
 		php_wddx_add_chunk_static(packet, WDDX_HEADER);
 	}