From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 14 Mar 2007 19:37:07 +0000 (+0000)
Subject: Fixed MOPB-22-2007:PHP session_regenerate_id() Double Free Vulnerability
X-Git-Tag: php-5.2.2RC1~144
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7aab16c333c25efccafd953e89e767e009e527e4;p=php

Fixed MOPB-22-2007:PHP session_regenerate_id() Double Free Vulnerability

# Discovered by Stefan Esser
---

diff --git a/ext/session/session.c b/ext/session/session.c
index 2b20dde0aa..72606a22d9 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -846,6 +846,7 @@ new_session:
 	} else if (PS(invalid_session_id)) { /* address instances where the session read fails due to an invalid id */
 		PS(invalid_session_id) = 0;
 		efree(PS(id));
+		PS(id) = NULL;
 		goto new_session;
 	}
 }
@@ -1575,6 +1576,7 @@ PHP_FUNCTION(session_regenerate_id)
 				RETURN_FALSE;
 			}
 			efree(PS(id));
+			PS(id) = NULL;
 		}
 	
 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);