MFH: fix #38431 (xmlrpc_get_type() crashes PHP on objects)

3 files changed, 27 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index eb96f3a2b3..18b45b9622 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.)
 - Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are
   enabled. (Stefan E., Ilia)
+- Fixed bug #38431 (xmlrpc_get_type() crashes PHP on objects). (Tony)
 - Fixed bug #38322 (reading past array in sscanf() leads to arbitrary code
   execution). (Tony)
 - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus)
diff --git a/ext/xmlrpc/tests/bug38431.phpt b/ext/xmlrpc/tests/bug38431.phpt
new file mode 100644
index 0000000000..288fe1041d
--- /dev/null
+++ b/ext/xmlrpc/tests/bug38431.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #38431 (xmlrpc_get_type() crashes PHP on objects)
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+
+var_dump(xmlrpc_get_type(new stdclass));
+var_dump(xmlrpc_get_type(array()));
+$var = array(1,2,3);
+var_dump(xmlrpc_get_type($var));
+$var = array("test"=>1,2,3);
+var_dump(xmlrpc_get_type($var));
+$var = array("test"=>1,"test2"=>2);
+var_dump(xmlrpc_get_type($var));
+
+echo "Done\n";
+?>
+--EXPECTF--	
+string(5) "array"
+string(5) "array"
+string(5) "array"
+string(5) "mixed"
+string(6) "struct"
+Done
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 8b6f963f5d..69fe7534e9 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -1468,7 +1468,7 @@ PHP_FUNCTION(xmlrpc_get_type)
 
 	type = get_zval_xmlrpc_type(*arg, 0);
 	if (type == xmlrpc_vector) {
-		vtype = determine_vector_type(Z_ARRVAL_PP(arg));
+		vtype = determine_vector_type((Z_TYPE_PP(arg) == IS_OBJECT) ? Z_OBJPROP_PP(arg) : Z_ARRVAL_PP(arg));
 	}
    
 	RETURN_STRING((char*) xmlrpc_type_as_str(type, vtype), 1);