]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 97e16eb)
Fix bug #73831 - NULL Pointer Dereference while unserialize php object
authorStanislav Malyshev <stas@php.net>
Sun, 1 Jan 2017 04:14:20 +0000 (20:14 -0800)
committerStanislav Malyshev <stas@php.net>
Sun, 1 Jan 2017 04:14:20 +0000 (20:14 -0800)
ext/wddx/tests/bug73831.phpt [new file with mode: 0644] patch | blob
ext/wddx/wddx.c patch | blob | history

diff --git a/ext/wddx/tests/bug73831.phpt b/ext/wddx/tests/bug73831.phpt
new file mode 100644 (file)
index 0000000..0f8b8b1
--- /dev/null
+++ b/ext/wddx/tests/bug73831.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #73831 (NULL Pointer Dereference while unserialize php object)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+       <struct>
+               <var name="php_class_name">
+                       <string>Throwable</string>
+                </var>
+        </struct>
+</wddxPacket>
+EOF;
+try {
+       $wddx = wddx_deserialize($xml);
+} catch(Error $e) { echo $e->getMessage(); }
+?>
+--EXPECTF--
+Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
+Cannot instantiate interface Throwable
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d58a564593cb0c075767bee8eee6bd7b7cc335c7..70c6213407256186aa29ddabae4fe7ead3412e2c 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -908,7 +908,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 
                if (!strcmp((char *)name, EL_BINARY)) {
                        zend_string *new_str = NULL;
-                       
+
                        if (ZSTR_EMPTY_ALLOC() != Z_STR(ent1->data)) {
                                new_str = php_base64_decode(
                                        (unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
@@ -967,22 +967,26 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
                                                        php_error_docref(NULL, E_WARNING, "Class %s can not be unserialized", Z_STRVAL(ent1->data));
                                                } else {
                                                        /* Initialize target object */
-                                                       object_init_ex(&obj, pce);
-
-                                                       /* Merge current hashtable with object's default properties */
-                                                       zend_hash_merge(Z_OBJPROP(obj),
-                                                                                       Z_ARRVAL(ent2->data),
-                                                                                       zval_add_ref, 0);
-
-                                                       if (incomplete_class) {
-                                                               php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+                                                       if (object_init_ex(&obj, pce) != SUCCESS || EG(exception)) {
+                                                               zval_ptr_dtor(&ent2->data);
+                                                               ZVAL_UNDEF(&ent2->data);
+                                                               php_error_docref(NULL, E_WARNING, "Class %s can not be instantiated", Z_STRVAL(ent1->data));
+                                                       } else {
+                                                               /* Merge current hashtable with object's default properties */
+                                                               zend_hash_merge(Z_OBJPROP(obj),
+                                                                                               Z_ARRVAL(ent2->data),
+                                                                                               zval_add_ref, 0);
+
+                                                               if (incomplete_class) {
+                                                                       php_store_class_name(&obj, Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
+                                                               }
+
+                                                               /* Clean up old array entry */
+                                                               zval_ptr_dtor(&ent2->data);
+
+                                                               /* Set stack entry to point to the newly created object */
+                                                               ZVAL_COPY_VALUE(&ent2->data, &obj);
                                                        }
-
-                                                       /* Clean up old array entry */
-                                                       zval_ptr_dtor(&ent2->data);
-
-                                                       /* Set stack entry to point to the newly created object */
-                                                       ZVAL_COPY_VALUE(&ent2->data, &obj);
                                                }
 
                                                /* Clean up class name var entry */
Unnamed repository; edit this file 'description' to name the repository.