Fix bug #72340: Double Free Courruption in wddx_deserialize

diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt
new file mode 100644 (file)
index 0000000..8d694ca
--- /dev/null
+++ b/ext/wddx/tests/bug72340.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #72340: Double Free Courruption in wddx_deserialize
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+       <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
+               <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
+               </var></var></var>
+       </array>
+</wddxPacket>
+EOF;
+$array = wddx_deserialize($xml);
+var_dump($array);
+?>
+--EXPECT--
+array(0) {
+}

diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index da3424695b299a3ed40715498ec07b79afe845da..311d6aa4a567f1e04462413300342a86b5436c6c 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
                                break;
 
                        case ST_BOOLEAN:
+                               if(!ent->data) {
+                                       break;
+                               }
                                if (!strcmp(s, "true")) {
                                        Z_LVAL_P(ent->data) = 1;
                                } else if (!strcmp(s, "false")) {
@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
                                        zval_ptr_dtor(&ent->data);
                                        if (ent->varname) {
                                                efree(ent->varname);
+                                               ent->varname = NULL;
                                        }
                                        ent->data = NULL;
                                }