Fixed bug #68901 (use after free)

author: Xinchen Hui <laruence@php.net> 2015-01-29 00:00:09 +0800
committer: Stanislav Malyshev <stas@php.net> 2015-04-11 16:28:07 -0700
commit: 920a0afbf8f83962c70aaf9a144810f320be92b3 (patch)
tree: d871025472174b8638be33c1ff83579a71e4f527
parent: 9a404df382d041127eaa601b3113587df45d510d (diff)
download: php-git-920a0afbf8f83962c70aaf9a144810f320be92b3.tar.gz
2 files changed, 4 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 0a83818e2e..584defdc4e 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,9 @@ PHP                                                                        NEWS
 - Sqlite3:
   . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)
 
+- Phar:
+  . Fixed bug #68901 (use after free). (bugreports at internot dot info)
+
 - Postgres:
   . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui)
 
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index a021200fda..add1fa0d5c 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -2211,8 +2211,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
 	}
 its_ok:
 	if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {
-		efree(oldpath);
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);
+		efree(oldpath);
 		return NULL;
 	}
 	if (!phar->is_data) {
author	Xinchen Hui <laruence@php.net>	2015-01-29 00:00:09 +0800
committer	Stanislav Malyshev <stas@php.net>	2015-04-11 16:28:07 -0700
commit	920a0afbf8f83962c70aaf9a144810f320be92b3 (patch)
tree	d871025472174b8638be33c1ff83579a71e4f527
parent	9a404df382d041127eaa601b3113587df45d510d (diff)
download	php-git-920a0afbf8f83962c70aaf9a144810f320be92b3.tar.gz