wddx_deserialize use-after-free
I
Internet Bug Bounty
Submitted None
Actions:
Reported by
fms
Vulnerability Details
Technical details and impact analysis
Upstream Bug
---
https://bugs.php.net/bug.php?id=72860
Summary
--
wddx_deserialize allows to unserialize a WDDX packet that usually comes from external input.
While WDDX tries to deserialize "recordset" element, use-after-free happens if the close tag for the field is not found.
Patch
--
```
http://git.php.net/?p=php-src.git;a=commit;h=780daee62b55995a10f8e849159eff0a25bacb9d
```
Fixed for PHP 5.6.26 and 7.0.11
--
http://php.net/ChangeLog-5.php
http://php.net/ChangeLog-7.php
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$500.00
Submitted
Weakness
Memory Corruption - Generic