You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

53 lines
1.4 KiB

From 66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 5 Dec 2016 21:40:55 -0800
Subject: [PATCH] CVE-2016-9935
Fix bug #73631 - Invalid read when wddx decodes empty boolean element
[roberto@debian.org: backported to 5.4.45]
Bug: https://bugs.php.net/bug.php?id=73631
Origin: backport, http://git.php.net/?p=php-src.git;a=commitdiff;h=66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0
---
ext/wddx/tests/bug73631.phpt | 19 +++++++++++++++++++
ext/wddx/wddx.c | 5 +++++
2 files changed, 24 insertions(+)
create mode 100644 ext/wddx/tests/bug73631.phpt
--- /dev/null
+++ php5.git/ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73631 (Memory leak due to invalid wddx stack processing)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+<number>1234</number>
+<binary><boolean/></binary>
+</wddxPacket>
+EOF;
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+?>
+--EXPECTF--
+int(1234)
+
--- php5.git.orig/ext/wddx/wddx.c
+++ php5.git/ext/wddx/wddx.c
@@ -805,6 +805,11 @@
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
+ } else {
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
+ ZVAL_FALSE(&ent.data);
+ wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {
ent.type = ST_NULL;