fix #72155 (use-after-free caused by get_zval_xmlrpc_type)

author: Joe Watkins <krakjoe@php.net> 2016-05-30 08:56:50 +0100
committer: Joe Watkins <krakjoe@php.net> 2016-05-30 08:56:50 +0100
commit: 1690dcb827e2b50eb575b1c6acadab0b8f248723 (patch)
tree: c4ed46b356566e019995dddd5eee7ab043d4dfcd
parent: 0c5bd4d445ab09fd457882c06eff436eebb4c9bf (diff)
download: php-git-1690dcb827e2b50eb575b1c6acadab0b8f248723.tar.gz
2 files changed, 5 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 69ae57823a..9aa71bd348 100644
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,9 @@ PHP                                                                        NEWS
 - XML:
   . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
 
+- XMLRPC:
+  . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe)
+
 26 May 2016 PHP 7.0.7
 
 - Core:
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index ea62bdc9a9..8daf26257e 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -1368,10 +1368,10 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval* newvalue) /* {{{ */
 
 			if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
 				if ((val = zend_hash_str_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR) - 1)) != NULL) {
-					ZVAL_COPY_VALUE(newvalue, val);
+					ZVAL_COPY(newvalue, val);
 				}
 			} else {
-				ZVAL_COPY_VALUE(newvalue, value);
+				ZVAL_COPY(newvalue, value);
 			}
 		}
 	}
author	Joe Watkins <krakjoe@php.net>	2016-05-30 08:56:50 +0100
committer	Joe Watkins <krakjoe@php.net>	2016-05-30 08:56:50 +0100
commit	1690dcb827e2b50eb575b1c6acadab0b8f248723 (patch)
tree	c4ed46b356566e019995dddd5eee7ab043d4dfcd
parent	0c5bd4d445ab09fd457882c06eff436eebb4c9bf (diff)
download	php-git-1690dcb827e2b50eb575b1c6acadab0b8f248723.tar.gz