Fix use-after-free in sysvsem

author Nikita Popov <nikita.ppv@gmail.com>

Mon, 11 May 2020 08:21:31 +0000 (10:21 +0200)

committer Nikita Popov <nikita.ppv@gmail.com>

Mon, 11 May 2020 08:21:31 +0000 (10:21 +0200)
author Nikita Popov <nikita.ppv@gmail.com>
Mon, 11 May 2020 08:21:31 +0000 (10:21 +0200)
committer Nikita Popov <nikita.ppv@gmail.com>
Mon, 11 May 2020 08:21:31 +0000 (10:21 +0200)
diff --git a/ext/sysvsem/sysvsem.c b/ext/sysvsem/sysvsem.c

index 7422c64354ab8faba65dcdbe1d147ffb6ca8fd2a..d2f87186525f701582446b5d7922c373b781a068 100644 (file)
--- a/ext/sysvsem/sysvsem.c
+++ b/ext/sysvsem/sysvsem.c
@@ -117,13 +117,13 @@ static void sysvsem_free_obj(zend_object *object)
         sysvsem_sem *sem_ptr = sysvsem_from_obj(object);
         struct sembuf sop[2];
         int opcount = 1;
-/*
- * if count == -1, semaphore has been removed
- * Need better way to handle this
- */
  
+       /*
+        * if count == -1, semaphore has been removed
+        * Need better way to handle this
+        */
         if (sem_ptr->count == -1 || !sem_ptr->auto_release) {
-               efree(sem_ptr);
+               zend_object_std_dtor(&sem_ptr->std);
                 return;
         }
         /* Decrement the usage count. */
author	Nikita Popov <nikita.ppv@gmail.com>
	Mon, 11 May 2020 08:21:31 +0000 (10:21 +0200)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Mon, 11 May 2020 08:21:31 +0000 (10:21 +0200)