File php-unserialize-soap-type-confusion.patch of Package php5

From: Xinchen Hui <laruence@php.net>
Date: Fri, 27 Feb 2015 15:32:32 +0000 (+0800)
Subject: Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
X-Git-Tag: php-5.5.23RC1~15
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=997b7e56302710bb3db00b56d0629ac75d73a207

Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
---

--- ext/soap/soap.c
+++ ext/soap/soap.c
@@ -2564,7 +2564,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
 	}
 
 	if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
-	    Z_LVAL_PP(trace) > 0) {
+	    Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
 		add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1);
 	}
 
@@ -2599,7 +2599,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
 		}
 		ret = FALSE;
 	} else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
-	    Z_LVAL_PP(trace) > 0) {
+	    Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
 		add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1);
 	}
 	zval_ptr_dtor(&params[4]);
@@ -2904,7 +2904,7 @@ PHP_METHOD(SoapClient, __call)
 	}
 
 	/* Add default headers */
-	if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) {
+	if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) {
 		HashTable *default_headers = Z_ARRVAL_P(*tmp);
 		if (soap_headers) {
 			if (!free_soap_headers) {