Skip to content

Commit a14fdb9

Browse files
committed
Fix for bug #72790 and bug #72799
1 parent 047fe0e commit a14fdb9

File tree

3 files changed

+69
-2
lines changed

3 files changed

+69
-2
lines changed

Diff for: ext/wddx/tests/bug72790.phpt

+35
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
--TEST--
2+
Bug 72790: wddx_deserialize null dereference with invalid xml
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('wddx')) {
6+
die('skip. wddx not available');
7+
}
8+
?>
9+
--FILE--
10+
<?php
11+
12+
$xml = <<< XML
13+
<?xml version='1.0' ?>
14+
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
15+
<wddxPacket version='1.0'>
16+
|array>
17+
<var name="XXXX">
18+
<boolean value="this">
19+
</boolean>
20+
</var>
21+
<var name="YYYY">
22+
<var name="UUUU">
23+
<var name="EZEZ">
24+
</var>
25+
</var>
26+
</var>
27+
</array>
28+
</wddxPacket>
29+
XML;
30+
31+
$array = wddx_deserialize($xml);
32+
var_dump($array);
33+
?>
34+
--EXPECT--
35+
NULL

Diff for: ext/wddx/tests/bug72799.phpt

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
--TEST--
2+
Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('wddx')) {
6+
die('skip. wddx not available');
7+
}
8+
?>
9+
--FILE--
10+
<?php
11+
12+
$xml = <<<XML
13+
<?xml version='1.0'?>
14+
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
15+
<wddxPacket version="1.0">
16+
<var name="XXXX">
17+
<boolean value="1">
18+
<dateTime>1998-06-12T04:32:12+00</dateTime>
19+
</boolean>
20+
</var>
21+
</wddxPacket>
22+
XML;
23+
24+
$array = wddx_deserialize($xml);
25+
var_dump($array);
26+
?>
27+
--EXPECT--
28+
NULL

Diff for: ext/wddx/wddx.c

+6-2
Original file line numberDiff line numberDiff line change
@@ -946,10 +946,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
946946
if (!ent1->data) {
947947
if (stack->top > 1) {
948948
stack->top--;
949+
efree(ent1);
949950
} else {
950951
stack->done = 1;
951952
}
952-
efree(ent1);
953953
return;
954954
}
955955

@@ -988,7 +988,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
988988
wddx_stack_top(stack, (void**)&ent2);
989989

990990
/* if non-existent field */
991-
if (ent2->type == ST_FIELD && ent2->data == NULL) {
991+
if (ent2->data == NULL) {
992992
zval_ptr_dtor(&ent1->data);
993993
efree(ent1);
994994
return;
@@ -1179,9 +1179,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value)
11791179

11801180
if (stack.top == 1) {
11811181
wddx_stack_top(&stack, (void**)&ent);
1182+
if(ent->data == NULL) {
1183+
retval = FAILURE;
1184+
} else {
11821185
*return_value = *(ent->data);
11831186
zval_copy_ctor(return_value);
11841187
retval = SUCCESS;
1188+
}
11851189
} else {
11861190
retval = FAILURE;
11871191
}

0 commit comments

Comments
 (0)