From 266ecb6d0a1ab5a37b4d652ca774a8adc4b06578 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 5 Dec 2016 21:40:55 -0800
Subject: Fix bug #73631 - Invalid read when wddx decodes empty boolean element

---
 NEWS                         |  4 ++++
 ext/wddx/tests/bug73631.phpt | 19 +++++++++++++++++++
 ext/wddx/wddx.c              |  5 +++++
 3 files changed, 28 insertions(+)
 create mode 100644 ext/wddx/tests/bug73631.phpt

diff --git a/NEWS b/NEWS
index bdefade47c..a5c3bd1e24 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug #68447 (grapheme_extract take an extra trailing character). 
     (SATŌ Kentarō)
 
+- WDDX:
+  . Fixed bug #73631 (Memory leak due to invalid wddx stack processing). 
+    (bughunter at fosec dot vn).
+
 08 Dec 2016, PHP 5.6.29
 
 - Mbstring:
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
new file mode 100644
index 0000000000..5e37ae8269
--- /dev/null
+++ b/ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73631 (Memory leak due to invalid wddx stack processing)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+<number>1234</number>
+<binary><boolean/></binary>
+</wddxPacket>
+EOF;
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+?>
+--EXPECTF--
+int(1234)
+
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 069ea122ce..0cee16b9ad 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -811,6 +811,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
 				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
 				break;
 			}
+		} else {
+			ent.type = ST_BOOLEAN;
+			SET_STACK_VARNAME;
+			ZVAL_FALSE(&ent.data);
+			wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 		}
 	} else if (!strcmp(name, EL_NULL)) {
 		ent.type = ST_NULL;
-- 
cgit v1.2.1