Skip to content

Commit 426aeb2

Browse files
committed
Fix bug #72749: wddx_deserialize allows illegal memory access
1 parent f1a0b7d commit 426aeb2

File tree

2 files changed

+46
-4
lines changed

2 files changed

+46
-4
lines changed

Diff for: ext/wddx/tests/bug72749.phpt

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
--TEST--
2+
Bug #72749: wddx_deserialize allows illegal memory access
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('wddx')) {
6+
die('skip. wddx not available');
7+
}
8+
?>
9+
--FILE--
10+
<?php
11+
$xml = <<<XML
12+
<?xml version='1.0'?>
13+
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
14+
<wddxPacket version='1.0'>
15+
<header/>
16+
<data>
17+
<struct>
18+
<var name='aDateTime3'>
19+
<dateTime>2\r2004-09-10T05:52:49+00</dateTime>
20+
</var>
21+
</struct>
22+
</data>
23+
</wddxPacket>
24+
XML;
25+
26+
$array = wddx_deserialize($xml);
27+
var_dump($array);
28+
?>
29+
--EXPECT--
30+
array(1) {
31+
["aDateTime3"]=>
32+
string(24) "2
33+
2004-09-10T05:52:49+00"
34+
}

Diff for: ext/wddx/wddx.c

+12-4
Original file line numberDiff line numberDiff line change
@@ -1123,19 +1123,27 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
11231123
case ST_DATETIME: {
11241124
char *tmp;
11251125

1126+
if (Z_TYPE_P(ent->data) == IS_STRING) {
1127+
tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1);
1128+
memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data));
1129+
memcpy(tmp + Z_STRLEN_P(ent->data), s, len);
1130+
len += Z_STRLEN_P(ent->data);
1131+
efree(Z_STRVAL_P(ent->data));
1132+
Z_TYPE_P(ent->data) = IS_LONG;
1133+
} else {
11261134
tmp = emalloc(len + 1);
11271135
memcpy(tmp, s, len);
1136+
}
11281137
tmp[len] = '\0';
11291138

11301139
Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL);
11311140
/* date out of range < 1969 or > 2038 */
11321141
if (Z_LVAL_P(ent->data) == -1) {
1133-
Z_TYPE_P(ent->data) = IS_STRING;
1134-
Z_STRLEN_P(ent->data) = len;
1135-
Z_STRVAL_P(ent->data) = estrndup(s, len);
1136-
}
1142+
ZVAL_STRINGL(ent->data, tmp, len, 0);
1143+
} else {
11371144
efree(tmp);
11381145
}
1146+
}
11391147
break;
11401148

11411149
default:

0 commit comments

Comments
 (0)