php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38378 wddx_serialize_value geneates no wellformed xml
Submitted: 2006-08-08 09:57 UTC Modified: 2006-08-24 08:30 UTC
Votes:5
Avg. Score:5.0 ± 0.0
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:3 (60.0%)
From: clemens at gutweiler dot net Assigned:
Status: Closed Package: WDDX related
PHP Version: 4.4.3 OS: Linux
Private report: No CVE-ID:
 [2006-08-08 09:57 UTC] clemens at gutweiler dot net
Description:
------------
wddx_serialize_value generates an invalid wddx package/xml 
string.

in php version 4.4.2 the sample code works, in 4.4.3 not.

Reproduce code:
---------------
<?php
        $array = array(
                'index' => array(
                        1 => 'integer key',
                        'string' => 'string key'
                )
        );
        var_dump( wddx_serialize_value( $array ) );
?>


Expected result:
----------------
/web/cg/playground# /usr/local/php-4.4.2-fastcgi/bin/php 
wddx.php 

string(219) "<wddxPacket version='1.0'><header/
><data><struct><var name='index'><struct><var 
name='1'><string>integer key</string></var><var 
name='string'><string>string key</string></var></struct></
var></struct></data></wddxPacket>"


Actual result:
--------------
/web/cg/playground# /usr/local/php-4.4.3-fastcgi/bin/php 
wddx.php 

string(179) "<wddxPacket version='1.0'><header/
><data><struct><var <struct><string>integer key</string></
var><var n<string>string key</string></var></struct></var></
struct></data></wddxPacket>"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-17 13:06 UTC] hweidner at gmx dot net
The function wddx_serialize_vars seems also affected:

$array=array("aaa", "bbb", "ccc");
echo wddx_serialize_vars("array");

creates to the broken XML code unter PHP 4.4.3

<wddxPacket version='1.0'><header/><data><struct><var<array
length='3'><string>aaa</string><string>bbb</string><string>ccc</string></array></var></struct></data></wddxPacket>
 [2006-08-21 14:36 UTC] sj at sjaensch dot org
When replacing sprintf() with snprintf(), the length of the resulting string was calculated wrongly. Patch follows:


--- php-4.4.3/ext/wddx/wddx.c   Fri May 26 03:55:26 2006
+++ php-4.4.3-fixed/ext/wddx/wddx.c     Mon Aug 21 16:30:44 2006
@@ -626,12 +626,13 @@
 {
        char *tmp_buf;
        char *name_esc;
-       int name_esc_len;
+       int name_esc_len, tmp_buf_len;

        if (name) {
                name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-               tmp_buf = emalloc(name_esc_len + 1);
-               snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);
+               tmp_buf_len = name_esc_len + strlen(WDDX_VAR_S);
+               tmp_buf = emalloc(tmp_buf_len+1);
+               snprintf(tmp_buf, tmp_buf_len, WDDX_VAR_S, name_esc);
                php_wddx_add_chunk(packet, tmp_buf);
                efree(tmp_buf);
                efree(name_esc);
 [2006-08-23 11:11 UTC] grzegorz dot nosek at netart dot pl
You also need something like the patch below because serialization of plain integers is broken too. If you don't want to use full WDDX_BUF_LEN, Z_STRLEN(tmp) + Z_STRLEN(WDDX_NUMBER) (or something) might suffice.

Without the patch things like <number>1</number> seem to get eaten.

Trivial test case attached in the following diff.

--- php/ext/wddx/wddx.c~        Wed Aug 23 12:01:10 2006
+++ php/ext/wddx/wddx.c Wed Aug 23 12:00:35 2006
@@ -432,7 +432,7 @@
        tmp = *var;
        zval_copy_ctor(&tmp);
        convert_to_string(&tmp);
-       snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));
+       snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_NUMBER, Z_STRVAL(tmp));
        zval_dtor(&tmp);

        php_wddx_add_chunk(packet, tmp_buf);
--- /dev/null   Fri Jun 28 13:33:12 2002
+++ php/ext/wddx/tests/bug38738.phpt    Wed Aug 23 12:04:10 2006
@@ -0,0 +1,13 @@
+--TEST--
+Bug #38378     wddx_serialize_value geneates no wellformed xml
+--FILE--
+<?php
+
+$hash["int"] = 1;
+$hash["string"] = "test";
+
+print wddx_serialize_vars('hash')."\n";
+?>
+--EXPECT--
+<wddxPacket version='1.0'><header/><data><struct><var name='hash'><struct><var name='int'><number>1</number></var><var name='string'><string>test</string></var></struct></var></struct></data></wddxPacket>
+
 [2006-08-24 08:30 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 05:03:21 2014 UTC