Partial fix for bug #79029

diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c
index 2fa4e328544f27c72952af8796738dac9b36590f..a4f1df39173301948f7af1e9ccf53cffb72ba8db 100644 (file)
--- a/ext/xmlwriter/php_xmlwriter.c
+++ b/ext/xmlwriter/php_xmlwriter.c
@@ -83,13 +83,15 @@ typedef int (*xmlwriter_read_int_t)(xmlTextWriterPtr writer);
 static void xmlwriter_free_resource_ptr(xmlwriter_object *intern)
 {
        if (intern) {
-               if (intern->ptr) {
-                       xmlFreeTextWriter(intern->ptr);
-                       intern->ptr = NULL;
-               }
-               if (intern->output) {
-                       xmlBufferFree(intern->output);
-                       intern->output = NULL;
+               if (EG(active)) {
+                       if (intern->ptr) {
+                               xmlFreeTextWriter(intern->ptr);
+                               intern->ptr = NULL;
+                       }
+                       if (intern->output) {
+                               xmlBufferFree(intern->output);
+                               intern->output = NULL;
+                       }
                }
                efree(intern);
        }

diff --git a/ext/xmlwriter/tests/bug79029_1.phpt b/ext/xmlwriter/tests/bug79029_1.phpt
new file mode 100644 (file)
index 0000000..c91295c
--- /dev/null
+++ b/ext/xmlwriter/tests/bug79029_1.phpt
@@ -0,0 +1,13 @@
+--TEST--
+#79029 (Use After Free's in XMLReader / XMLWriter)
+--SKIPIF--
+<?php if (!extension_loaded("xmlwriter")) print "skip"; ?>
+--FILE--
+<?php
+$x = array( new XMLWriter() );
+$x[0]->openUri("a");
+$x[0]->startComment();
+?>
+okey
+--EXPECT--
+okey