Skip to content
Permalink
Browse files

Fix for bug #72790 and bug #72799

  • Loading branch information...
smalyshev committed Aug 11, 2016
1 parent 047fe0e commit a14fdb9746262549bbbb96abb87338bacd147e1b
Showing with 69 additions and 2 deletions.
  1. +35 −0 ext/wddx/tests/bug72790.phpt
  2. +28 −0 ext/wddx/tests/bug72799.phpt
  3. +6 −2 ext/wddx/wddx.c
@@ -0,0 +1,35 @@
--TEST--
Bug 72790: wddx_deserialize null dereference with invalid xml
--SKIPIF--
<?php
if (!extension_loaded('wddx')) {
die('skip. wddx not available');
}
?>
--FILE--
<?php
$xml = <<< XML
<?xml version='1.0' ?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
|array>
<var name="XXXX">
<boolean value="this">
</boolean>
</var>
<var name="YYYY">
<var name="UUUU">
<var name="EZEZ">
</var>
</var>
</var>
</array>
</wddxPacket>
XML;
$array = wddx_deserialize($xml);
var_dump($array);
?>
--EXPECT--
NULL
@@ -0,0 +1,28 @@
--TEST--
Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
--SKIPIF--
<?php
if (!extension_loaded('wddx')) {
die('skip. wddx not available');
}
?>
--FILE--
<?php
$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
<var name="XXXX">
<boolean value="1">
<dateTime>1998-06-12T04:32:12+00</dateTime>
</boolean>
</var>
</wddxPacket>
XML;
$array = wddx_deserialize($xml);
var_dump($array);
?>
--EXPECT--
NULL
@@ -946,10 +946,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
if (!ent1->data) {
if (stack->top > 1) {
stack->top--;
efree(ent1);
} else {
stack->done = 1;
}
efree(ent1);
return;
}

@@ -988,7 +988,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
wddx_stack_top(stack, (void**)&ent2);

/* if non-existent field */
if (ent2->type == ST_FIELD && ent2->data == NULL) {
if (ent2->data == NULL) {
zval_ptr_dtor(&ent1->data);
efree(ent1);
return;
@@ -1179,9 +1179,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value)

if (stack.top == 1) {
wddx_stack_top(&stack, (void**)&ent);
if(ent->data == NULL) {
retval = FAILURE;
} else {
*return_value = *(ent->data);
zval_copy_ctor(return_value);
retval = SUCCESS;
}
} else {
retval = FAILURE;
}

0 comments on commit a14fdb9

Please sign in to comment.
You can’t perform that action at this time.