From d1dd9b4558e9c1b2e86887f99c009063ee3eb5f4 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Tue, 31 May 2016 11:44:20 +0800 Subject: [PATCH] Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type) --- NEWS | 5 +++-- ext/xmlrpc/tests/bug72155.phpt | 22 ++++++++++++++++++++++ ext/xmlrpc/xmlrpc-epi-php.c | 2 +- 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 ext/xmlrpc/tests/bug72155.phpt diff --git a/NEWS b/NEWS index 1988e935cb..6fc0149b15 100644 --- a/NEWS +++ b/NEWS @@ -33,10 +33,11 @@ PHP NEWS (Thomas Punt) - XML: - . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe) + . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe) - XMLRPC: - . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe) + . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type). + (Joe, Laruence) - Zip: . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form). diff --git a/ext/xmlrpc/tests/bug72155.phpt b/ext/xmlrpc/tests/bug72155.phpt new file mode 100644 index 0000000000..38c90be252 --- /dev/null +++ b/ext/xmlrpc/tests/bug72155.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #72155 (use-after-free caused by get_zval_xmlrpc_type) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +string(109) " + + + + 5 + + + +" diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index ea62bdc9a9..b5dcee8f0d 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -535,7 +535,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep xReturn = XMLRPC_CreateValueBoolean(key, Z_TYPE(val) == IS_TRUE); break; case xmlrpc_int: - convert_to_long(&val); + ZVAL_LONG(&val, zval_get_long(&val)); xReturn = XMLRPC_CreateValueInt(key, Z_LVAL(val)); break; case xmlrpc_double: -- 2.50.1