diff options
Diffstat (limited to 'bug71335.patch')
| -rw-r--r-- | bug71335.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/bug71335.patch b/bug71335.patch new file mode 100644 index 0000000..f258b77 --- /dev/null +++ b/bug71335.patch @@ -0,0 +1,66 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From 285cd3417fb61597345b829f5f573707bbdcd484 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 13 Jan 2016 16:43:04 -0800 +Subject: [PATCH] Fix bug #71335: Type Confusion in WDDX Packet Deserialization + +--- + ext/wddx/tests/bug71335.phpt | 33 +++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 3 ++- + 2 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 ext/wddx/tests/bug71335.phpt + +diff --git a/ext/wddx/tests/bug71335.phpt b/ext/wddx/tests/bug71335.phpt +new file mode 100644 +index 0000000..57a7f14 +--- /dev/null ++++ b/ext/wddx/tests/bug71335.phpt +@@ -0,0 +1,33 @@ ++--TEST-- ++Bug #71335 (Type Confusion in WDDX Packet Deserialization) ++--SKIPIF-- ++<?php ++if (!extension_loaded("wddx")) print "skip"; ++?> ++--FILE-- ++<?php ++$x = "<?xml version='1.0'?> ++<wddxPacket version='1.0'> ++<header/> ++ <data> ++ <struct> ++ <var name='php_class_name'> ++ <string>stdClass</string> ++ </var> ++ <var name='php_class_name'> ++ <string>stdClass</string> ++ </var> ++ </struct> ++ </data> ++</wddxPacket>"; ++ ++$d = wddx_deserialize($x); ++var_dump($d); ++?> ++DONE ++--EXPECTF-- ++object(stdClass)#%d (1) { ++ ["php_class_name"]=> ++ string(8) "stdClass" ++} ++DONE +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index b9dd1fa..7267ee1 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -978,7 +978,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + + if (ent1->varname) { + if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && +- Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) { ++ Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ++ ent2->type == ST_STRUCT && Z_TYPE_P(ent2->data) == IS_ARRAY) { + zend_bool incomplete_class = 0; + + zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); |