From 54a7e5d7c37d11cf186cb8b9107c88b1b5e08d5d Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Sun, 20 Feb 2011 16:33:53 +0000
Subject: [PATCH] - Fixed memory leak in DirectoryIterator::getExtension() and
 SplFileInfo::getExtension()

---
 NEWS                    |  8 ++++++--
 ext/spl/spl_directory.c | 28 ++++++++++++++++++++--------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index f4668196ef..0bc73ddb6b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,9 +5,13 @@
   . Fixed bug #43512 (same parameter name can be used multiple times in
     method/function definition). (Felipe)
 
-- Exif extension
-  . Fixed bug #54002 (crash on crafted tag, reported by Luca Carettoni). (Pierre). (CVE-2011-0708)
+- Exif extension:
+  . Fixed bug #54002 (crash on crafted tag, reported by Luca Carettoni). (Pierre)
+    (CVE-2011-0708)
 
+- SPL extension:
+  . Fixed memory leak in DirectoryIterator::getExtension() and 
+    SplFileInfo::getExtension(). (Felipe)
 17 Feb 2011, PHP 5.3.6RC1
 - Upgraded bundled Sqlite3 to version 3.7.4. (Ilia)
 - Upgraded bundled PCRE to version 8.11. (Ilia)
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index c143cd0ead..f6a2750d06 100755
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -854,7 +854,8 @@ SPL_METHOD(DirectoryIterator, getFilename)
 SPL_METHOD(SplFileInfo, getExtension)
 {
 	spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	char *fname, *p;
+	char *fname = NULL;
+	const char *p;
 	size_t flen;
 	int path_len, idx;
 
@@ -877,10 +878,15 @@ SPL_METHOD(SplFileInfo, getExtension)
 	p = zend_memrchr(fname, '.', flen);
 	if (p) {
 		idx = p - fname;
-		RETURN_STRINGL(fname + idx + 1, flen - idx - 1, 1);
+		RETVAL_STRINGL(fname + idx + 1, flen - idx - 1, 1);
+		efree(fname);
+		return;
+	} else {
+		if (fname) {
+			efree(fname);
+		}
+		RETURN_EMPTY_STRING();
 	}
-
-	RETURN_EMPTY_STRING();
 }
 /* }}}*/
 
@@ -889,7 +895,8 @@ SPL_METHOD(SplFileInfo, getExtension)
 SPL_METHOD(DirectoryIterator, getExtension)
 {
 	spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
-	char *fname, *p;
+	char *fname = NULL;
+	const char *p;
 	size_t flen;
 	int idx;
 
@@ -902,10 +909,15 @@ SPL_METHOD(DirectoryIterator, getExtension)
 	p = zend_memrchr(fname, '.', flen);
 	if (p) {
 		idx = p - fname;
-		RETURN_STRINGL(fname + idx + 1, flen - idx - 1, 1);
+		RETVAL_STRINGL(fname + idx + 1, flen - idx - 1, 1);
+		efree(fname);
+		return;
+	} else {
+		if (fname) {
+			efree(fname);
+		}
+		RETURN_EMPTY_STRING();
 	}
-
-	RETURN_EMPTY_STRING();
 }
 /* }}} */
 
-- 
2.40.0