Skip to content

Commit 8d2539f

Browse files
committed
Fix bug #73831 - NULL Pointer Dereference while unserialize php object
1 parent 97e16eb commit 8d2539f

File tree

2 files changed

+43
-16
lines changed

2 files changed

+43
-16
lines changed

Diff for: ext/wddx/tests/bug73831.phpt

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
--TEST--
2+
Bug #73831 (NULL Pointer Dereference while unserialize php object)
3+
--SKIPIF--
4+
<?php if (!extension_loaded("wddx")) print "skip"; ?>
5+
--FILE--
6+
<?php
7+
$xml = <<<EOF
8+
<?xml version="1.0" ?>
9+
<wddxPacket version="1.0">
10+
<struct>
11+
<var name="php_class_name">
12+
<string>Throwable</string>
13+
</var>
14+
</struct>
15+
</wddxPacket>
16+
EOF;
17+
try {
18+
$wddx = wddx_deserialize($xml);
19+
} catch(Error $e) { echo $e->getMessage(); }
20+
?>
21+
--EXPECTF--
22+
Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
23+
Cannot instantiate interface Throwable

Diff for: ext/wddx/wddx.c

+20-16
Original file line numberDiff line numberDiff line change
@@ -908,7 +908,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
908908

909909
if (!strcmp((char *)name, EL_BINARY)) {
910910
zend_string *new_str = NULL;
911-
911+
912912
if (ZSTR_EMPTY_ALLOC() != Z_STR(ent1->data)) {
913913
new_str = php_base64_decode(
914914
(unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
@@ -967,22 +967,26 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
967967
php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
968968
} else {
969969
/* Initialize target object */
970-
object_init_ex(&obj, pce);
971-
972-
/* Merge current hashtable with object's default properties */
973-
zend_hash_merge(Z_OBJPROP(obj),
974-
Z_ARRVAL(ent2->data),
975-
zval_add_ref, 0);
976-
977-
if (incomplete_class) {
978-
php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
970+
if (object_init_ex(&obj, pce) != SUCCESS || EG(exception)) {
971+
zval_ptr_dtor(&ent2->data);
972+
ZVAL_UNDEF(&ent2->data);
973+
php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
974+
} else {
975+
/* Merge current hashtable with object's default properties */
976+
zend_hash_merge(Z_OBJPROP(obj),
977+
Z_ARRVAL(ent2->data),
978+
zval_add_ref, 0);
979+
980+
if (incomplete_class) {
981+
php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
982+
}
983+
984+
/* Clean up old array entry */
985+
zval_ptr_dtor(&ent2->data);
986+
987+
/* Set stack entry to point to the newly created object */
988+
ZVAL_COPY_VALUE(&ent2->data, &obj);
979989
}
980-
981-
/* Clean up old array entry */
982-
zval_ptr_dtor(&ent2->data);
983-
984-
/* Set stack entry to point to the newly created object */
985-
ZVAL_COPY_VALUE(&ent2->data, &obj);
986990
}
987991

988992
/* Clean up class name var entry */

0 commit comments

Comments
 (0)