From: Markus Koschany Date: Sun, 16 Jul 2017 18:15:19 +0200 Subject: CVE-2017-11143 Bug-Upstream: https://bugs.php.net/bug.php?id=74145 Origin: https://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 Origin: http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9 --- ext/wddx/tests/bug74145.phpt | 16 ++++++++++++++++ ext/wddx/tests/bug74145.xml | 9 +++++++++ ext/wddx/wddx.c | 10 ++++++---- 3 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 ext/wddx/tests/bug74145.phpt create mode 100644 ext/wddx/tests/bug74145.xml diff --git a/ext/wddx/tests/bug74145.phpt b/ext/wddx/tests/bug74145.phpt new file mode 100644 index 0000000..a99a117 --- /dev/null +++ b/ext/wddx/tests/bug74145.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV) +--SKIPIF-- + +--FILE-- + +DONE +--EXPECTF-- +NULL +DONE \ No newline at end of file diff --git a/ext/wddx/tests/bug74145.xml b/ext/wddx/tests/bug74145.xml new file mode 100644 index 0000000..e5d35fb --- /dev/null +++ b/ext/wddx/tests/bug74145.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index d401b62..3293d62 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -795,20 +795,22 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X if (atts) for (i = 0; atts[i]; i++) { if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) { - ent.type = ST_BOOLEAN; - SET_STACK_VARNAME; - ALLOC_ZVAL(ent.data); INIT_PZVAL(ent.data); Z_TYPE_P(ent.data) = IS_BOOL; + ent.type = ST_BOOLEAN; + SET_STACK_VARNAME; wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); break; } } else { + ALLOC_ZVAL(ent.data); + INIT_PZVAL(ent.data); + Z_TYPE_P(ent.data) = IS_BOOL; ent.type = ST_BOOLEAN; SET_STACK_VARNAME; - ZVAL_FALSE(&ent.data); + ZVAL_FALSE(ent.data); wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); } } else if (!strcmp(name, EL_NULL)) {