From 8c48eca1bfa7c5215c5a689a0abee850adcb00c6 Mon Sep 17 00:00:00 2001
From: Arnaud Le Blanc <lbarnaud@php.net>
Date: Sat, 6 Sep 2008 08:22:25 +0000
Subject: [PATCH] Fix mem leak and invalid frees in rfc1867 post handler

---
 main/rfc1867.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index b0e381b88a..c56d819df5 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -1300,13 +1300,13 @@ var_done:
 					if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
 						unlink(ascii_temp_filename);
 					}
-					efree(ascii_temp_filename);
 					efree(temp_filename);
 				}
 				temp_filename = EMPTY_STR;
 			} else {
 				zend_u_hash_add(SG(rfc1867_uploaded_files), IS_UNICODE, ZSTR(temp_filename), u_strlen(temp_filename) + 1, &temp_filename, sizeof(UChar *), NULL);
 			}
+			efree(ascii_temp_filename);
 
 			/* is_arr_upload is true when name of file upload field
 			 * ends in [.*]
@@ -1372,7 +1372,7 @@ var_done:
 
 			/* Possible Content-Type: */
 			if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
-				ucd = EMPTY_STR;
+				ucd = ecalloc(1, UBYTES(1));
 				ucd_len = 0;
 			} else { 
 				ucd = php_ap_to_unicode(cd, strlen(cd), &ucd_len TSRMLS_CC);
@@ -1470,7 +1470,6 @@ var_done:
 				register_u_http_post_files_variable_ex(lbuf, &file_size, http_post_files, 0 TSRMLS_CC);
 			}
 			efree(param);
-			efree(filename);
 		}
 	}
 
-- 
2.40.0