From: Scott MacVicar <scottmac@php.net>
Date: Fri, 13 May 2011 05:54:34 +0000 (+0000)
Subject: Fix use after free() in XMLReader::xml()
X-Git-Tag: php-5.4.0alpha1~191^2~12
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2c7fb35b831c03827c68c25f91bc2e344c919626;p=php

Fix use after free() in XMLReader::xml()
---

diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
index 80ce3d7e3a..b9f6348c04 100644
--- a/ext/xmlreader/php_xmlreader.c
+++ b/ext/xmlreader/php_xmlreader.c
@@ -30,6 +30,7 @@
 #ifdef HAVE_DOM
 #include "ext/dom/xml_common.h"
 #endif
+#include <libxml/xmlreader.h>
 #include <libxml/uri.h>
 
 zend_class_entry *xmlreader_class_entry;
@@ -1091,9 +1092,7 @@ PHP_METHOD(xmlreader, XML)
 			uri = (char *) xmlCanonicPath((const xmlChar *) resolved_path);
 		}
 		reader = xmlNewTextReader(inputbfr, uri);
-		if (uri) {
-			xmlFree(uri);
-		}
+
 		if (reader != NULL) {
 #if LIBXML_VERSION >= 20628
 			ret = xmlTextReaderSetup(reader, NULL, uri, encoding, options);
@@ -1107,11 +1106,20 @@ PHP_METHOD(xmlreader, XML)
 				}
 				intern->input = inputbfr;
 				intern->ptr = reader;
+
+				if (uri) {
+					xmlFree(uri);
+				}
+
 				return;
 			}
 		}
 	}
 
+	if (uri) {
+		xmlFree(uri);
+	}
+
 	if (inputbfr) {
 		xmlFreeParserInputBuffer(inputbfr);
 	}