From: Joe Watkins <krakjoe@php.net>
Date: Mon, 30 May 2016 07:56:50 +0000 (+0100)
Subject: fix #72155 (use-after-free caused by get_zval_xmlrpc_type)
X-Git-Tag: php-7.0.8RC1~31
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1690dcb827e2b50eb575b1c6acadab0b8f248723;p=php

fix #72155 (use-after-free caused by get_zval_xmlrpc_type)
---

diff --git a/NEWS b/NEWS
index 69ae57823a..9aa71bd348 100644
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,9 @@ PHP                                                                        NEWS
 - XML:
   . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
 
+- XMLRPC:
+  . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe)
+
 26 May 2016 PHP 7.0.7
 
 - Core:
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index ea62bdc9a9..8daf26257e 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -1368,10 +1368,10 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval* newvalue) /* {{{ */
 
 			if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
 				if ((val = zend_hash_str_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR) - 1)) != NULL) {
-					ZVAL_COPY_VALUE(newvalue, val);
+					ZVAL_COPY(newvalue, val);
 				}
 			} else {
-				ZVAL_COPY_VALUE(newvalue, value);
+				ZVAL_COPY(newvalue, value);
 			}
 		}
 	}