Fix bug #72340: Double Free Courruption in wddx_deserialize

php · Jun 13, 2016 · a44c89e · a44c89e
1 parent 4dd0365
commit a44c89e
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #72340: Double Free Courruption in wddx_deserialize
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+	<array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
+		<var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
+		</var></var></var>
+	</array>
+</wddxPacket>
+EOF;
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 				break;
 
 			case ST_BOOLEAN:
+				if(!ent->data) {
+					break;
+				}
 				if (!strcmp(s, "true")) {
 					Z_LVAL_P(ent->data) = 1;
 				} else if (!strcmp(s, "false")) {
@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 					zval_ptr_dtor(&ent->data);
 					if (ent->varname) {
 						efree(ent->varname);
+						ent->varname = NULL;
 					}
 					ent->data = NULL;
 				}