From 060ab26cfe2f25bc59eb2de593e11cea84ef70b0 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 5 Sep 2016 23:42:31 -0700
Subject: [PATCH] Fix bug #72860: wddx_deserialize use-after-free

(cherry picked from commit ee552853ff4d72f626102025133e2cd1575043ee)

Conflicts:
	ext/wddx/wddx.c
---
 ext/wddx/tests/bug72860.phpt | 27 +++++++++++++++++++++++++++
 ext/wddx/wddx.c              |  5 ++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 ext/wddx/tests/bug72860.phpt

diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
new file mode 100644
index 0000000000..6385457e8e
--- /dev/null
+++ b/ext/wddx/tests/bug72860.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #72860: wddx_deserialize use-after-free
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+       <recordset fieldNames='F'>
+               <field name='F'>
+       </recordset>
+</wddxPacket>
+XML;
+
+var_dump(wddx_deserialize($xml));
+?>
+DONE
+--EXPECT--
+NULL
+DONE
\ No newline at end of file
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 3a6835fbb6..ecbe153814 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -230,7 +230,10 @@ static int wddx_stack_destroy(wddx_stack *stack)
 
 	if (stack->elements) {
 		for (i = 0; i < stack->top; i++) {
-			zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
+			if (Z_TYPE(((st_entry *)stack->elements[i])->data) != IS_UNDEF
+					&& ((st_entry *)stack->elements[i])->type != ST_FIELD)	{
+				zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
+			}
 			if (((st_entry *)stack->elements[i])->varname) {
 				efree(((st_entry *)stack->elements[i])->varname);
 			}
-- 
2.40.0