diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-06-20 23:31:54 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-06-20 23:31:54 -0700 |
| commit | e1d2f86a41aa49b9425f84518dd541f599abde83 (patch) | |
| tree | be3db2553ac72556bb8c49c7aff155c8fceadc25 /ext/wddx | |
| parent | 6f73079ce16f4c3cff87c6d2cf5e795ac3f1b0d9 (diff) | |
| parent | 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 (diff) | |
| download | php-git-e1d2f86a41aa49b9425f84518dd541f599abde83.tar.gz | |
Merge branch 'PHP-5.5.37' into PHP-5.5
* PHP-5.5.37:
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
Diffstat (limited to 'ext/wddx')
| -rw-r--r-- | ext/wddx/tests/bug72340.phpt | 24 | ||||
| -rw-r--r-- | ext/wddx/wddx.c | 4 |
2 files changed, 28 insertions, 0 deletions
diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt new file mode 100644 index 0000000000..8d694ca52e --- /dev/null +++ b/ext/wddx/tests/bug72340.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #72340: Double Free Courruption in wddx_deserialize +--SKIPIF-- +<?php +if (!extension_loaded("wddx")) print "skip"; +?> +--FILE-- +<?php +$xml = <<<EOF +<?xml version='1.0' ?> +<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> +<wddxPacket version='1.0'> + <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var> + <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ"> + </var></var></var> + </array> +</wddxPacket> +EOF; +$array = wddx_deserialize($xml); +var_dump($array); +?> +--EXPECT-- +array(0) { +} diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index da3424695b..311d6aa4a5 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) break; case ST_BOOLEAN: + if(!ent->data) { + break; + } if (!strcmp(s, "true")) { Z_LVAL_P(ent->data) = 1; } else if (!strcmp(s, "false")) { @@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) zval_ptr_dtor(&ent->data); if (ent->varname) { efree(ent->varname); + ent->varname = NULL; } ent->data = NULL; } |