Fixed bug #73173

nikic · nikic · commit 604827b694aa · 2017-06-25T20:17:06.000+02:00
Patch by tloi at fortinet dot com.
diff --git a/NEWS b/NEWS
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
 - SPL:
   . Fixed bug #73471 (PHP freezes with AppendIterator). (jhdxr)
 
+- Wddx:
+  . Fixed bug #73173 (huge memleak when wddx_unserialize).
+    (tloi at fortinet dot com)
+
 - zlib:
   . Fixed bug #73944 (dictionary option of inflate_init() does not work).
     (wapmorgan)
diff --git a/ext/wddx/tests/bug73173.phpt b/ext/wddx/tests/bug73173.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #73173: huge memleak when wddx_unserialize
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket>
+<var name="
+XML;
+
+$xml .= str_repeat('F',0x80000);
+
+$xml .= <<<XML
+">
+</wddxPacket>
+XML;
+var_dump(wddx_deserialize($xml));
+
+?>
+--EXPECT--
+NULL
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -241,6 +241,9 @@ static int wddx_stack_destroy(wddx_stack *stack)
 		}
 		efree(stack->elements);
 	}
+	if (stack->varname) {
+		efree(stack->varname);
+	}
 	return SUCCESS;
 }
 /* }}} */

Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,9 @@ static int wddx_stack_destroy(wddx_stack *stack)`
`241`	`241`	`}`
`242`	`242`	`efree(stack->elements);`
`243`	`243`	`}`
	`244`	`+ if (stack->varname) {`
	`245`	`+ efree(stack->varname);`
	`246`	`+ }`
`244`	`247`	`return SUCCESS;`
`245`	`248`	`}`
`246`	`249`	`/* }}} */`