Fix bug #71335: Type Confusion in WDDX Packet Deserialization

Author: smalyshev

ext/wddx/tests/bug71335.phpt

@@ -0,0 +1,33 @@
+--TEST--
+Bug #71335 (Type Confusion in WDDX Packet Deserialization)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$x = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+		<struct>
+			<var name='php_class_name'>
+				<string>stdClass</string>
+			</var>
+			<var name='php_class_name'>
+				<string>stdClass</string>
+			</var>
+		</struct>
+	</data>
+</wddxPacket>";
+
+$d = wddx_deserialize($x);
+var_dump($d);
+?>
+DONE
+--EXPECTF--
+object(stdClass)#%d (1) {
+  ["php_class_name"]=>
+  string(8) "stdClass"
+}
+DONE

ext/wddx/wddx.c

@@ -978,7 +978,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 
 				if (ent1->varname) {
 					if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
-						Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
+						Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) &&
+						ent2->type == ST_STRUCT && Z_TYPE_P(ent2->data) == IS_ARRAY) {
 						zend_bool incomplete_class = 0;
 
 						zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));