Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type)

2 files changed, 23 insertions, 1 deletions

diff --git a/ext/xmlrpc/tests/bug72155.phpt b/ext/xmlrpc/tests/bug72155.phpt
new file mode 100644
index 0000000000..38c90be252
--- /dev/null
+++ b/ext/xmlrpc/tests/bug72155.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #72155 (use-after-free caused by get_zval_xmlrpc_type)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$var0 = fopen("/etc/passwd","r");
+$var1 = xmlrpc_encode($var0);
+var_dump($var1);
+?>
+--EXPECTF--
+string(109) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <int>5</int>
+ </value>
+</param>
+</params>
+"
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index ea62bdc9a9..b5dcee8f0d 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -535,7 +535,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
 					xReturn = XMLRPC_CreateValueBoolean(key, Z_TYPE(val) == IS_TRUE);
 					break;
 				case xmlrpc_int:
-					convert_to_long(&val);
+					ZVAL_LONG(&val, zval_get_long(&val));
 					xReturn = XMLRPC_CreateValueInt(key, Z_LVAL(val));
 					break;
 				case xmlrpc_double: