Fix incorrect merge

Forgot to amend the merge fixes...

diff --git a/NEWS b/NEWS
index babe2c23b0bf985848a32834938704f359b66aa0..cdf37e9007f7b3e375b5a0e38800e188019caf22 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -133,6 +133,9 @@ PHP                                                                        NEWS
 
 - Wddx:
   . Fixed bug #72564 (boolean always deserialized as "true") (Remi)
+  . Fixed bug #72142 (WDDX Packet Injection Vulnerability in
+    wddx_serialize_value()). (Taoguang Chen)
+
 
 - Zip:
   . Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).

diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index ed96a0d4a4df40c9bbf61bc3d3777f73c7be7da4..d28cb7a0acbef61f9ac00291aee71e4e54375da1 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -360,18 +360,16 @@ void php_wddx_packet_start(wddx_packet *packet, char *comment, size_t comment_le
 {
        php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
        if (comment) {
-               char *escaped;
-               size_t escaped_len;
-               escaped = php_escape_html_entities(
-                       comment, comment_len, &escaped_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+               zend_string *escaped = php_escape_html_entities(
+                       comment, comment_len, 0, ENT_QUOTES, NULL);
 
                php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
                php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-               php_wddx_add_chunk_ex(packet, escaped, escaped_len);
+               php_wddx_add_chunk_ex(packet, ZSTR_VAL(escaped), ZSTR_LEN(escaped));
                php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
                php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
 
-               str_efree(escaped);
+               zend_string_release(escaped);
        } else {
                php_wddx_add_chunk_static(packet, WDDX_HEADER);
        }