diff options
author | Stanislav Malyshev <stas@php.net> | 2016-12-05 21:40:55 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-12-05 21:40:55 -0800 |
commit | 266ecb6d0a1ab5a37b4d652ca774a8adc4b06578 (patch) | |
tree | a3939821a3df8b6b27c11cb00938cd95ed3f0a7b /ext/wddx | |
parent | cf2496140dfa43757870ddaf827961079a29fee1 (diff) | |
download | php-git-266ecb6d0a1ab5a37b4d652ca774a8adc4b06578.tar.gz |
Fix bug #73631 - Invalid read when wddx decodes empty boolean element
Diffstat (limited to 'ext/wddx')
-rw-r--r-- | ext/wddx/tests/bug73631.phpt | 19 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 5 |
2 files changed, 24 insertions, 0 deletions
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt new file mode 100644 index 0000000000..5e37ae8269 --- /dev/null +++ b/ext/wddx/tests/bug73631.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #73631 (Memory leak due to invalid wddx stack processing) +--SKIPIF-- +<?php if (!extension_loaded("wddx")) print "skip"; ?> +--FILE-- +<?php +$xml = <<<EOF +<?xml version="1.0" ?> +<wddxPacket version="1.0"> +<number>1234</number> +<binary><boolean/></binary> +</wddxPacket> +EOF; +$wddx = wddx_deserialize($xml); +var_dump($wddx); +?> +--EXPECTF-- +int(1234) + diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 069ea122ce..0cee16b9ad 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -811,6 +811,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); break; } + } else { + ent.type = ST_BOOLEAN; + SET_STACK_VARNAME; + ZVAL_FALSE(&ent.data); + wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); } } else if (!strcmp(name, EL_NULL)) { ent.type = ST_NULL; |