Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #73631 - Invalid read when wddx decodes empty boolean element
  • Loading branch information
smalyshev authored and Tyrael committed Dec 8, 2016
1 parent 9e89e72 commit 66fd442
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
19 changes: 19 additions & 0 deletions ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
--TEST--
Bug #73631 (Memory leak due to invalid wddx stack processing)
--SKIPIF--
<?php if (!extension_loaded("wddx")) print "skip"; ?>
--FILE--
<?php
$xml = <<<EOF
<?xml version="1.0" ?>
<wddxPacket version="1.0">
<number>1234</number>
<binary><boolean/></binary>
</wddxPacket>
EOF;
$wddx = wddx_deserialize($xml);
var_dump($wddx);
?>
--EXPECTF--
int(1234)

5 changes: 5 additions & 0 deletions ext/wddx/wddx.c
Expand Up @@ -811,6 +811,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
} else {
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
ZVAL_FALSE(&ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {
ent.type = ST_NULL;
Expand Down

0 comments on commit 66fd442

Please sign in to comment.