Fixed #70728

Conflicts:
	ext/xmlrpc/xmlrpc-epi-php.c

ext/xmlrpc/tests/bug70728.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$obj = new stdClass;
+$obj->xmlrpc_type = 'base64';
+$obj->scalar = 0x1122334455;
+var_dump(xmlrpc_encode($obj));
+var_dump($obj);
+?>
+--EXPECTF--	
+string(135) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <base64>NzM1ODgyMjkyMDU=&#10;</base64>
+ </value>
+</param>
+</params>
+"
+object(stdClass)#1 (2) {
+  ["xmlrpc_type"]=>
+  string(6) "base64"
+  ["scalar"]=>
+  int(73588229205)
+}

ext/xmlrpc/xmlrpc-epi-php.c

@@ -514,7 +514,15 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
 						xReturn = XMLRPC_CreateValueEmpty();
 						XMLRPC_SetValueID(xReturn, key, 0);
 					} else {
-						xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val));
+						if (Z_TYPE(val) != IS_STRING) {
+							zval newvalue;
+							ZVAL_DUP(&newvalue, &val);
+							convert_to_string(newvalue);
+							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(newvalue), Z_STRLEN(newvalue));
+							zval_dtor(&newvalue);
+						} else {
+							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val));
+						}
 					}
 					break;
 				case xmlrpc_datetime:
@@ -1357,7 +1365,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval* newvalue) /* {{{ */
 		if (newvalue) {
 			zval* val;
 
-			if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
+			if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
 				if ((val = zend_hash_str_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR) - 1)) != NULL) {
 					ZVAL_COPY_VALUE(newvalue, val);
 				}