Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type)

2025-08-15 21:48:51 +02:00 · 2016-05-31 11:44:20 +08:00 · 2016-05-31 11:44:20 +08:00 · d1dd9b4558
commit d1dd9b4558
parent a811b5e38d
3 changed files with 26 additions and 3 deletions
--- a/5
+++ b/5
@ -33,10 +33,11 @@ PHP                                                                        NEWS
    (Thomas Punt)

 - XML:
-  . Fixed #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)
+  . Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Joe)

 - XMLRPC:
-  . Fixed #72155 (use-after-free caused by get_zval_xmlrpc_type). (Joe)
+  . Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
+    (Joe, Laruence)

 - Zip:
  . Fixed ug #72258 (ZipArchive converts filenames to unrecoverable form).
--- a/ext/xmlrpc/tests/bug72155.phpt
+++ b/ext/xmlrpc/tests/bug72155.phpt
@ -0,0 +1,22 @@
+--TEST--
+Bug #72155 (use-after-free caused by get_zval_xmlrpc_type)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$var0 = fopen("/etc/passwd","r");
+$var1 = xmlrpc_encode($var0);
+var_dump($var1);
+?>
+--EXPECTF--
+string(109) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <int>5</int>
+ </value>
+</param>
+</params>
+"
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@ -535,7 +535,7 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
 					xReturn = XMLRPC_CreateValueBoolean(key, Z_TYPE(val) == IS_TRUE);
 					break;
 				case xmlrpc_int:
-					convert_to_long(&val);
+					ZVAL_LONG(&val, zval_get_long(&val));
 					xReturn = XMLRPC_CreateValueInt(key, Z_LVAL(val));
 					break;
 				case xmlrpc_double: