|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-01-14 00:45 UTC] stas@php.net
-PHP Version: Irrelevant
+PHP Version: 5.5.31
[2016-01-14 00:45 UTC] stas@php.net
[2016-01-14 00:46 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-02-02 03:19 UTC] stas@php.net
[2016-02-02 03:19 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-02-02 03:36 UTC] stas@php.net
[2016-02-02 04:46 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 16 09:01:28 2024 UTC |
Description: ------------ ``` zend_hash_merge(Z_OBJPROP_P(obj), Z_ARRVAL_P(ent2->data), (void (*)(void *)) zval_add_ref, (void *) &tmp, sizeof(zval *), 0); ``` PoC: ``` $x = "<?xml version='1.0'?> <wddxPacket version='1.0'> <header/> <data> <struct> <var name='php_class_name'> <string>stdClass</string> </var> <var name='php_class_name'> <string>stdClass</string> </var> </struct> </data> </wddxPacket>"; wddx_deserialize($x); ``` Fix: ``` if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) { target_hash = HASH_OF(ent2->data); if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && - Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) { + Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT && Z_TYPE_P(ent2->data) == IS_ARRAY) { ```