diff options
author | Stanislav Malyshev <stas@php.net> | 2016-12-05 21:58:55 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-12-05 21:58:55 -0800 |
commit | 6292fe84d314bdb8504968084666a683983f8044 (patch) | |
tree | 946ed3aa41187cba860d29668ac078f55a598bf2 | |
parent | a983b728a787360ff033bbf79ec3bd538b6aafb0 (diff) | |
parent | 266ecb6d0a1ab5a37b4d652ca774a8adc4b06578 (diff) | |
download | php-git-6292fe84d314bdb8504968084666a683983f8044.tar.gz |
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
Fix bug #73631 - Invalid read when wddx decodes empty boolean element
-rw-r--r-- | ext/wddx/tests/bug73631.phpt | 19 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 5 |
2 files changed, 24 insertions, 0 deletions
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt new file mode 100644 index 0000000000..5e37ae8269 --- /dev/null +++ b/ext/wddx/tests/bug73631.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #73631 (Memory leak due to invalid wddx stack processing) +--SKIPIF-- +<?php if (!extension_loaded("wddx")) print "skip"; ?> +--FILE-- +<?php +$xml = <<<EOF +<?xml version="1.0" ?> +<wddxPacket version="1.0"> +<number>1234</number> +<binary><boolean/></binary> +</wddxPacket> +EOF; +$wddx = wddx_deserialize($xml); +var_dump($wddx); +?> +--EXPECTF-- +int(1234) + diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index b188e8929e..662b957369 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -772,6 +772,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X php_wddx_process_data(user_data, atts[i+1], strlen((char *)atts[i+1])); break; } + } else { + ent.type = ST_BOOLEAN; + SET_STACK_VARNAME; + ZVAL_FALSE(&ent.data); + wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); } } else if (!strcmp((char *)name, EL_NULL)) { ent.type = ST_NULL; |