]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cfee511)
Fixed bug #73173
authorNikita Popov <nikita.ppv@gmail.com>
Sun, 25 Jun 2017 18:14:58 +0000 (20:14 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Sun, 25 Jun 2017 18:17:06 +0000 (20:17 +0200)
Patch by tloi at fortinet dot com.

NEWS patch | blob | history
ext/wddx/tests/bug73173.phpt [new file with mode: 0644] patch | blob
ext/wddx/wddx.c patch | blob | history

diff --git a/NEWS b/NEWS
index f215ab8dd7f0f9184a702dcaad655a74914c9642..b790a26e9fbf7bfb60c33881da8c218b9d73b888 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
 - SPL:
   . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
 
+- Wddx:
+  . Fixed bug #73173 (huge memleak when wddx_unserialize).
+    (tloi at fortinet dot com)
+
 - zlib:
   . Fixed bug #73944 (dictionary option of inflate_init() does not work).
     (wapmorgan)
diff --git a/ext/wddx/tests/bug73173.phpt b/ext/wddx/tests/bug73173.phpt
new file mode 100644 (file)
index 0000000..00fe56e
--- /dev/null
+++ b/ext/wddx/tests/bug73173.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #73173: huge memleak when wddx_unserialize
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket>
+<var name="
+XML;
+
+$xml .= str_repeat('F',0x80000);
+
+$xml .= <<<XML
+">
+</wddxPacket>
+XML;
+var_dump(wddx_deserialize($xml));
+
+?>
+--EXPECT--
+NULL
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 4040ed61c660fd5c05a4884a4dda953de374fc4b..25d7deae1764477840f854eec195f2e875266fbc 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -241,6 +241,9 @@ static int wddx_stack_destroy(wddx_stack *stack)
                }
                efree(stack->elements);
        }
+       if (stack->varname) {
+               efree(stack->varname);
+       }
        return SUCCESS;
 }
 /* }}} */
Unnamed repository; edit this file 'description' to name the repository.