- Fixed invalid free in call_user_method() function

diff --git a/NEWS b/NEWS
index b62459eecb4f0e6a0a3e7c4e67983a49d3542a80..9ddd4014ede022d84cc7083d78c311cfc39b1730 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ PHP                                                                        NEWS
     directory). (Felipe)
   . Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) 
     (CVE-2011-4153). (Stas)
+  . Fixed invalid free in call_user_method() function. (Felipe)
     
 - Zend Engine:
   . Fixed bug #43200 (Interface implementation / inheritence not possible in

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 51625128744b7ea7c0151926cffffba0f0160edf..47769dec4cf66027947848fbb708860ec03b82dd 100644 (file)
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -4762,7 +4762,9 @@ PHP_FUNCTION(call_user_method)
                Z_TYPE_P(object) != IS_STRING
        ) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Second argument is not an object or class name");
-               efree(params);
+               if (params) {
+                       efree(params);
+               }
                RETURN_FALSE;
        }
 

diff --git a/ext/standard/tests/general_functions/call_user_method_002.phpt b/ext/standard/tests/general_functions/call_user_method_002.phpt
new file mode 100644 (file)
index 0000000..054bc3e
--- /dev/null
+++ b/ext/standard/tests/general_functions/call_user_method_002.phpt
@@ -0,0 +1,12 @@
+--TEST--
+call_user_method() Invalid free
+--FILE--
+<?php
+
+call_user_method("1", $arr1);
+
+?>
+--EXPECTF--
+Deprecated: Function call_user_method() is deprecated in %s on line %d
+
+Warning: call_user_method(): Second argument is not an object or class name in %s on line %d