Merge branch 'PHP-7.0.15' into PHP-7.0

* PHP-7.0.15:
  Fix #73832 - leave the table in a safe state if the size is too big.
  Fix bug #73831 - NULL Pointer Dereference while unserialize php object

3 files changed, 44 insertions, 17 deletions

diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 322422da15..8b54a3932d 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -175,7 +175,6 @@ ZEND_API void ZEND_FASTCALL _zend_hash_init(HashTable *ht, uint32_t nSize, dtor_
 	GC_REFCOUNT(ht) = 1;
 	GC_TYPE_INFO(ht) = IS_ARRAY;
 	ht->u.flags = (persistent ? HASH_FLAG_PERSISTENT : 0) | HASH_FLAG_APPLY_PROTECTION | HASH_FLAG_STATIC_KEYS;
-	ht->nTableSize = zend_hash_check_size(nSize);
 	ht->nTableMask = HT_MIN_MASK;
 	HT_SET_DATA_ADDR(ht, &uninitialized_bucket);
 	ht->nNumUsed = 0;
@@ -183,6 +182,7 @@ ZEND_API void ZEND_FASTCALL _zend_hash_init(HashTable *ht, uint32_t nSize, dtor_
 	ht->nInternalPointer = HT_INVALID_IDX;
 	ht->nNextFreeElement = 0;
 	ht->pDestructor = pDestructor;
+	ht->nTableSize = zend_hash_check_size(nSize);
 }
 
 static void ZEND_FASTCALL zend_hash_packed_grow(HashTable *ht)
diff --git a/ext/wddx/tests/bug73831.phpt b/ext/wddx/tests/bug73831.phpt
new file mode 100644
index 0000000000..0f8b8b1264
--- /dev/null
+++ b/ext/wddx/tests/bug73831.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #73831 (NULL Pointer Dereference while unserialize php object)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+	<struct>
+		<var name="php_class_name">
+			<string>Throwable</string>
+                </var>
+        </struct>
+</wddxPacket>
+EOF;
+try {
+	$wddx = wddx_deserialize($xml);
+} catch(Error $e) { echo $e->getMessage(); }
+?>
+--EXPECTF--
+Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
+Cannot instantiate interface Throwable
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d58a564593..70c6213407 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -908,7 +908,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 
 		if (!strcmp((char *)name, EL_BINARY)) {
 			zend_string *new_str = NULL;
-			
+
 			if (ZSTR_EMPTY_ALLOC() != Z_STR(ent1->data)) {
 				new_str = php_base64_decode(
 					(unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
@@ -967,22 +967,26 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 							php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
 						} else {
 							/* Initialize target object */
-							object_init_ex(&obj, pce);
-
-							/* Merge current hashtable with object's default properties */
-							zend_hash_merge(Z_OBJPROP(obj),
-											Z_ARRVAL(ent2->data),
-											zval_add_ref, 0);
-
-							if (incomplete_class) {
-								php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+							if (object_init_ex(&obj, pce) != SUCCESS || EG(exception)) {
+								zval_ptr_dtor(&ent2->data);
+								ZVAL_UNDEF(&ent2->data);
+								php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
+							} else {
+								/* Merge current hashtable with object's default properties */
+								zend_hash_merge(Z_OBJPROP(obj),
+												Z_ARRVAL(ent2->data),
+												zval_add_ref, 0);
+
+								if (incomplete_class) {
+									php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+								}
+
+								/* Clean up old array entry */
+								zval_ptr_dtor(&ent2->data);
+
+								/* Set stack entry to point to the newly created object */
+								ZVAL_COPY_VALUE(&ent2->data, &obj);
 							}
-
-							/* Clean up old array entry */
-							zval_ptr_dtor(&ent2->data);
-
-							/* Set stack entry to point to the newly created object */
-							ZVAL_COPY_VALUE(&ent2->data, &obj);
 						}
 
 						/* Clean up class name var entry */