Fix bug #73631 - Invalid read when wddx decodes empty boolean element

smalyshev · smalyshev · commit 266ecb6d0a1a · 2016-12-05T21:40:55.000-08:00
diff --git a/NEWS b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug #68447 (grapheme_extract take an extra trailing character). 
     (SATŌ Kentarō)
 
+- WDDX:
+  . Fixed bug #73631 (Memory leak due to invalid wddx stack processing). 
+    (bughunter at fosec dot vn).
+
 08 Dec 2016, PHP 5.6.29
 
 - Mbstring:
diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73631 (Memory leak due to invalid wddx stack processing)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$xml = <<<EOF
+<?xml version="1.0" ?>
+<wddxPacket version="1.0">
+<number>1234</number>
+<binary><boolean/></binary>
+</wddxPacket>
+EOF;
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+?>
+--EXPECTF--
+int(1234)
+
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -811,6 +811,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
 				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
 				break;
 			}
+		} else {
+			ent.type = ST_BOOLEAN;
+			SET_STACK_VARNAME;
+			ZVAL_FALSE(&ent.data);
+			wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 		}
 	} else if (!strcmp(name, EL_NULL)) {
 		ent.type = ST_NULL;

Original file line number	Diff line number	Diff line change
`@@ -811,6 +811,11 @@ static void php_wddx_push_element(void user_data, const XML_Char name, const X`
`811`	`811`	`php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));`
`812`	`812`	`break;`
`813`	`813`	`}`
	`814`	`+ } else {`
	`815`	`+ ent.type = ST_BOOLEAN;`
	`816`	`+ SET_STACK_VARNAME;`
	`817`	`+ ZVAL_FALSE(&ent.data);`
	`818`	`+ wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));`
`814`	`819`	`}`
`815`	`820`	`} else if (!strcmp(name, EL_NULL)) {`
`816`	`821`	`ent.type = ST_NULL;`