Fixed bug #68901 (use after free)

author Xinchen Hui <laruence@php.net>

Wed, 28 Jan 2015 16:00:09 +0000 (00:00 +0800)

committer Stanislav Malyshev <stas@php.net>

Sat, 11 Apr 2015 23:28:07 +0000 (16:28 -0700)
author Xinchen Hui <laruence@php.net>
Wed, 28 Jan 2015 16:00:09 +0000 (00:00 +0800)
committer Stanislav Malyshev <stas@php.net>
Sat, 11 Apr 2015 23:28:07 +0000 (16:28 -0700)
diff --git a/NEWS b/NEWS

index 0a83818e2e2d3cbe9214951648ef645423ca85a0..584defdc4e58bb77b348dfc5e7efe79c74773f51 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
  - Sqlite3:
    . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)
  
+- Phar:
+  . Fixed bug #68901 (use after free). (bugreports at internot dot info)
+
  - Postgres:
    . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui)
  
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c

index a021200fda528c9e3d1af2247dcc98f807ac33a9..add1fa0d5c7bded8901f5ee5f62b68a8e2435464 100644 (file)
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -2211,8 +2211,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
         }
  its_ok:
         if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {
-               efree(oldpath);
                 zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);
+               efree(oldpath);
                 return NULL;
         }
         if (!phar->is_data) {
author	Xinchen Hui <laruence@php.net>
	Wed, 28 Jan 2015 16:00:09 +0000 (00:00 +0800)
committer	Stanislav Malyshev <stas@php.net>
	Sat, 11 Apr 2015 23:28:07 +0000 (16:28 -0700)
NEWS		patch \| blob \| history
ext/phar/phar_object.c		patch \| blob \| history