You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

55 lines
1.5 KiB

Index: php5-5.4.45/ext/wddx/tests/bug72340.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug72340.phpt 2016-08-25 15:18:40.000000000 +0200
@@ -0,0 +1,24 @@
+--TEST--
+Bug #72340: Double Free Courruption in wddx_deserialize
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+ <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
+ <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
+ </var></var></var>
+ </array>
+</wddxPacket>
+EOF;
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(0) {
+}
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-08-25 15:18:40.000000000 +0200
+++ php5-5.4.45/ext/wddx/wddx.c 2016-08-25 15:19:59.000000000 +0200
@@ -1084,6 +1084,9 @@
break;
case ST_BOOLEAN:
+ if(!ent->data) {
+ break;
+ }
if (!strcmp(s, "true")) {
Z_LVAL_P(ent->data) = 1;
} else if (!strcmp(s, "false")) {
@@ -1091,8 +1094,10 @@
} else {
stack->top--;
zval_ptr_dtor(&ent->data);
- if (ent->varname)
+ if (ent->varname) {
efree(ent->varname);
+ ent->varname = NULL;
+ }
efree(ent);
}
break;