From cf1c50957b8169af01318df67bee42f8134cd708 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Mon, 4 Jan 2016 17:52:37 +0100
Subject: [PATCH] re-apply the patch from
 1785d2b805f64eaaacf98c14c9e13107bf085ab1

too many conflicts to cherry-pick
---
 ext/wddx/tests/bug70741.phpt | 26 ++++++++++++++++++++++++++
 ext/wddx/wddx.c              |  4 ++++
 2 files changed, 30 insertions(+)
 create mode 100644 ext/wddx/tests/bug70741.phpt

diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt
new file mode 100644
index 0000000000..9c7e09b48b
--- /dev/null
+++ b/ext/wddx/tests/bug70741.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'wddx');
+session_start();
+
+$hashtable = str_repeat('A', 66);
+$wddx = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+		<string>$hashtable</string>
+	</data>
+</wddxPacket>";
+session_decode($wddx);
+?>
+DONE
+--EXPECTF--
+
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+DONE
\ No newline at end of file
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 83b8f97294..c0971f8974 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -298,6 +298,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
 
 	ZVAL_UNDEF(&retval);
 	if ((ret = php_wddx_deserialize_ex(val, vallen, &retval)) == SUCCESS) {
+		if (Z_TYPE(retval) != IS_ARRAY) {
+			zval_dtor(&retval);
+			return FAILURE;
+		}
 		ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(retval), idx, key, ent) {
 			if (key == NULL) {
 				key = zend_long_to_str(idx);
-- 
2.40.0