From: Xinchen Hui Date: Tue, 31 May 2016 03:44:20 +0000 (+0800) Subject: Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type) X-Git-Tag: php-7.0.8RC1~22 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d1dd9b4558e9c1b2e86887f99c009063ee3eb5f4;p=php Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type) --- diff --git a/NEWS b/NEWS index 1988e935cb..6fc0149b15 100644 --- a/NEWS +++ b/NEWS @@ -33,10 +33,11 @@ PHP NEWS (Thomas Punt) - XML: - . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe) + . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe) - XMLRPC: - . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe) + . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type). + (Joe, Laruence) - Zip: . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form). diff --git a/ext/xmlrpc/tests/bug72155.phpt b/ext/xmlrpc/tests/bug72155.phpt new file mode 100644 index 0000000000..38c90be252 --- /dev/null +++ b/ext/xmlrpc/tests/bug72155.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #72155 (use-after-free caused by get_zval_xmlrpc_type) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +string(109) " + + + + 5 + + + +" diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index ea62bdc9a9..b5dcee8f0d 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -535,7 +535,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep xReturn = XMLRPC_CreateValueBoolean(key, Z_TYPE(val) == IS_TRUE); break; case xmlrpc_int: - convert_to_long(&val); + ZVAL_LONG(&val, zval_get_long(&val)); xReturn = XMLRPC_CreateValueInt(key, Z_LVAL(val)); break; case xmlrpc_double: