Skip to content

Instantly share code, notes, and snippets.

@smalyshev

smalyshev/71335.diff Secret

Created January 14, 2016 00:44
Show Gist options
  • Save smalyshev/c21bf4d8a3ec2c59192c to your computer and use it in GitHub Desktop.
Save smalyshev/c21bf4d8a3ec2c59192c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
71335.diff
commit 285cd3417fb61597345b829f5f573707bbdcd484
Author: Stanislav Malyshev <[email protected]>
Date: Wed Jan 13 16:43:04 2016 -0800
Fix bug #71335: Type Confusion in WDDX Packet Deserialization
diff --git a/ext/wddx/tests/bug71335.phpt b/ext/wddx/tests/bug71335.phpt
new file mode 100644
index 0000000..57a7f14
--- /dev/null
+++ b/ext/wddx/tests/bug71335.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #71335 (Type Confusion in WDDX Packet Deserialization)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$x = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <var name='php_class_name'>
+ <string>stdClass</string>
+ </var>
+ <var name='php_class_name'>
+ <string>stdClass</string>
+ </var>
+ </struct>
+ </data>
+</wddxPacket>";
+
+$d = wddx_deserialize($x);
+var_dump($d);
+?>
+DONE
+--EXPECTF--
+object(stdClass)#%d (1) {
+ ["php_class_name"]=>
+ string(8) "stdClass"
+}
+DONE
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index b9dd1fa..7267ee1 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -978,7 +978,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
if (ent1->varname) {
if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
- Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
+ Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) &&
+ ent2->type == ST_STRUCT && Z_TYPE_P(ent2->data) == IS_ARRAY) {
zend_bool incomplete_class = 0;
zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment