Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #72860: wddx_deserialize use-after-free
  • Loading branch information
smalyshev committed Sep 13, 2016
1 parent 65c8caa commit b88393f
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 1 deletion.
27 changes: 27 additions & 0 deletions ext/wddx/tests/bug72860.phpt
@@ -0,0 +1,27 @@
--TEST--
Bug #72860: wddx_deserialize use-after-free
--SKIPIF--
<?php
if (!extension_loaded('wddx')) {
die('skip. wddx not available');
}
?>
--FILE--
<?php

$xml=<<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
<recordset fieldNames='F'>
<field name='F'>
</recordset>
</wddxPacket>
XML;

var_dump(wddx_deserialize($xml));
?>
DONE
--EXPECT--
NULL
DONE
3 changes: 2 additions & 1 deletion ext/wddx/wddx.c
Expand Up @@ -230,7 +230,8 @@ static int wddx_stack_destroy(wddx_stack *stack)

if (stack->elements) {
for (i = 0; i < stack->top; i++) {
if (((st_entry *)stack->elements[i])->data) {
if (((st_entry *)stack->elements[i])->data
&& ((st_entry *)stack->elements[i])->type != ST_FIELD) {
zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
}
if (((st_entry *)stack->elements[i])->varname) {
Expand Down

0 comments on commit b88393f

Please sign in to comment.