From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 11 May 2020 08:21:31 +0000 (+0200)
Subject: Fix use-after-free in sysvsem
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=180971460357a7d5679036fb52fc127b8ff2cc1f;p=php

Fix use-after-free in sysvsem
---

diff --git a/ext/sysvsem/sysvsem.c b/ext/sysvsem/sysvsem.c
index 7422c64354..d2f8718652 100644
--- a/ext/sysvsem/sysvsem.c
+++ b/ext/sysvsem/sysvsem.c
@@ -117,13 +117,13 @@ static void sysvsem_free_obj(zend_object *object)
 	sysvsem_sem *sem_ptr = sysvsem_from_obj(object);
 	struct sembuf sop[2];
 	int opcount = 1;
-/*
- * if count == -1, semaphore has been removed
- * Need better way to handle this
- */
 
+	/*
+	 * if count == -1, semaphore has been removed
+	 * Need better way to handle this
+	 */
 	if (sem_ptr->count == -1 || !sem_ptr->auto_release) {
-		efree(sem_ptr);
+		zend_object_std_dtor(&sem_ptr->std);
 		return;
 	}
 	/* Decrement the usage count. */