Skip to content

Commit a44c89e

Browse files
committed
Fix bug #72340: Double Free Courruption in wddx_deserialize
1 parent 4dd0365 commit a44c89e

File tree

2 files changed

+28
-0
lines changed

2 files changed

+28
-0
lines changed

Diff for: ext/wddx/tests/bug72340.phpt

+24
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
--TEST--
2+
Bug #72340: Double Free Courruption in wddx_deserialize
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded("wddx")) print "skip";
6+
?>
7+
--FILE--
8+
<?php
9+
$xml = <<<EOF
10+
<?xml version='1.0' ?>
11+
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
12+
<wddxPacket version='1.0'>
13+
<array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
14+
<var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
15+
</var></var></var>
16+
</array>
17+
</wddxPacket>
18+
EOF;
19+
$array = wddx_deserialize($xml);
20+
var_dump($array);
21+
?>
22+
--EXPECT--
23+
array(0) {
24+
}

Diff for: ext/wddx/wddx.c

+4
Original file line numberDiff line numberDiff line change
@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
10961096
break;
10971097

10981098
case ST_BOOLEAN:
1099+
if(!ent->data) {
1100+
break;
1101+
}
10991102
if (!strcmp(s, "true")) {
11001103
Z_LVAL_P(ent->data) = 1;
11011104
} else if (!strcmp(s, "false")) {
@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
11041107
zval_ptr_dtor(&ent->data);
11051108
if (ent->varname) {
11061109
efree(ent->varname);
1110+
ent->varname = NULL;
11071111
}
11081112
ent->data = NULL;
11091113
}

0 commit comments

Comments
 (0)