Commit 77eaa43

committed

Fix concat_function use-after-free on out-of-memory error

1 parent c230aa9 commit 77eaa43Copy full SHA for 77eaa43

File tree

-5

lines changed

-5

lines changed

Lines changed: 8 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -2048,11 +2048,6 @@ has_op2_string:;`
`2048`	`2048`	`}`
`2049`	`2049`
`2050`	`2050`	`if (result == op1) {`
`2051`		`- if (free_op1_string) {`
`2052`		`- /* op1_string will be used as the result, so we should not free it */`
`2053`		`- i_zval_ptr_dtor(result);`
`2054`		`- free_op1_string = false;`
`2055`		`- }`
`2056`	`2051`	`/* special case, perform operations on result */`
`2057`	`2052`	`result_str = zend_string_extend(op1_string, result_len, 0);`
`2058`	`2053`	`/* account for the case where result_str == op1_string == op2_string and the realloc is done */`
`@@ -2063,6 +2058,14 @@ has_op2_string:;`
`2063`	`2058`	`}`
`2064`	`2059`	`op2_string = result_str;`
`2065`	`2060`	`}`
	`2061`	`+ /* Free result last, as zend_string_extend() may throw an out-of-memory error. If we free`
	`2062`	`+ * it before we would leave the released variable on the stack with shutdown trying to`
	`2063`	`+ * freeing it again. */`
	`2064`	`+ if (free_op1_string) {`
	`2065`	`+ /* op1_string will be used as the result, so we should not free it */`
	`2066`	`+ i_zval_ptr_dtor(result);`
	`2067`	`+ free_op1_string = false;`
	`2068`	`+ }`
`2066`	`2069`	`} else {`
`2067`	`2070`	`result_str = zend_string_alloc(result_len, 0);`
`2068`	`2071`	`memcpy(ZSTR_VAL(result_str), ZSTR_VAL(op1_string), op1_len);`

Comments

(0)