too many conflicts to cherry-pick
--- /dev/null
+--TEST--
+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'wddx');
+session_start();
+
+$hashtable = str_repeat('A', 66);
+$wddx = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <string>$hashtable</string>
+ </data>
+</wddxPacket>";
+session_decode($wddx);
+?>
+DONE
+--EXPECTF--
+
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+DONE
\ No newline at end of file
ZVAL_UNDEF(&retval);
if ((ret = php_wddx_deserialize_ex(val, vallen, &retval)) == SUCCESS) {
+ if (Z_TYPE(retval) != IS_ARRAY) {
+ zval_dtor(&retval);
+ return FAILURE;
+ }
ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(retval), idx, key, ent) {
if (key == NULL) {
key = zend_long_to_str(idx);
projects / php / commitdiff