From 436225969c85449d3352c91b972a5e31828f68f0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 21 Jun 2016 16:18:39 +0200 Subject: php 5.4: backport patch from 5.5.37 (wip) --- bug72340.patch | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 bug72340.patch (limited to 'bug72340.patch') diff --git a/bug72340.patch b/bug72340.patch new file mode 100644 index 0000000..39646e5 --- /dev/null +++ b/bug72340.patch @@ -0,0 +1,66 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From a44c89e8af7c2410f4bfc5e097be2a5d0639a60c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 12 Jun 2016 23:18:23 -0700 +Subject: [PATCH] Fix bug #72340: Double Free Courruption in wddx_deserialize + +--- + ext/wddx/tests/bug72340.phpt | 24 ++++++++++++++++++++++++ + ext/wddx/wddx.c | 4 ++++ + 2 files changed, 28 insertions(+) + create mode 100644 ext/wddx/tests/bug72340.phpt + +diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt +new file mode 100644 +index 0000000..8d694ca +--- /dev/null ++++ b/ext/wddx/tests/bug72340.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #72340: Double Free Courruption in wddx_deserialize ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ TEST ++ ++ ++ ++ ++EOF; ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(0) { ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index da34246..311d6aa 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + break; + + case ST_BOOLEAN: ++ if(!ent->data) { ++ break; ++ } + if (!strcmp(s, "true")) { + Z_LVAL_P(ent->data) = 1; + } else if (!strcmp(s, "false")) { +@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + zval_ptr_dtor(&ent->data); + if (ent->varname) { + efree(ent->varname); ++ ent->varname = NULL; + } + ent->data = NULL; + } -- cgit