From 13fc7f20a44cf3563030ba54b22d67c3bad81870 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Fri, 6 Feb 2015 16:53:01 +0100
Subject: [PATCH] Invalid free of CG(interned_empty_string)

On failure php_escape_html_entities returns STR_EMPTY_ALLOC which is an
alias of CG(interned_empty_string) if interned strings are enabled.
Make sure we don't free this.
---
 ext/soap/soap.c | 4 ++--
 ext/wddx/wddx.c | 4 ++--
 main/main.c     | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 6a250baf58..b739d338d9 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -4004,7 +4004,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
 				} else {	
 					xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len);
 				}
-				efree(str);
+				str_efree(str);
 			}
 			if (zend_hash_find(prop, "faultstring", sizeof("faultstring"), (void**)&tmp) == SUCCESS) {
 				xmlNodePtr node = master_to_xml(get_conversion(IS_STRING), *tmp, SOAP_LITERAL, param TSRMLS_CC);
@@ -4029,7 +4029,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
 				} else {	
 					xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len);
 				}
-				efree(str);
+				str_efree(str);
 			}
 			if (zend_hash_find(prop, "faultstring", sizeof("faultstring"), (void**)&tmp) == SUCCESS) {
 				xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Reason"), NULL);
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 4e91c18d59..0e96b364f9 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -409,7 +409,7 @@ static void php_wddx_serialize_string(wddx_packet *packet, zval *var TSRMLS_DC)
 
 		php_wddx_add_chunk_ex(packet, buf, buf_len);
 
-		efree(buf);
+		str_efree(buf);
 	}
 	php_wddx_add_chunk_static(packet, WDDX_STRING_E);
 }
@@ -635,7 +635,7 @@ void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name
 		snprintf(tmp_buf, name_esc_len + sizeof(WDDX_VAR_S), WDDX_VAR_S, name_esc);
 		php_wddx_add_chunk(packet, tmp_buf);
 		efree(tmp_buf);
-		efree(name_esc);
+		str_efree(name_esc);
 	}
 	
 	switch(Z_TYPE_P(var)) {
diff --git a/main/main.c b/main/main.c
index 16dc370ca1..331849cfc2 100644
--- a/main/main.c
+++ b/main/main.c
@@ -918,7 +918,7 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
 	} else {
 		spprintf(&message, 0, "%s: %s", origin, buffer);
 	}
-	efree(origin);
+	str_efree(origin);
 	if (docref_buf) {
 		efree(docref_buf);
 	}
-- 
2.40.0