Bugfix# 29114 Potential double free in php_stat

2 files changed, 7 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index fc8f5f9407..8298c2a979 100644
--- a/NEWS
+++ b/NEWS
@@ -6,7 +6,8 @@ PHP 4                                                                      NEWS
   for doing performance stats without warnings in server-log. (Uwe Schindler)
 - Fixed bug #29116 (Zend constant warning uses memory after free). (Marcus,
   jdolecek at NetBSD dot org)
-- Fixed Bug #29075 (strnatcmp() incorrectly handles whitespace). (Curt, Ilia)
+- Fixed bug #29114 (Potential double free in php_stat). (Sara)
+- Fixed bug #29075 (strnatcmp() incorrectly handles whitespace). (Curt, Ilia)
 - Fixed bug #29049 (array sorting via user function/method does not validate 
   it). (Ilia)
 - Fixed bug #29038 (extract() with EXTR_PREFIX_SAME prefixes empty strings).
diff --git a/ext/standard/filestat.c b/ext/standard/filestat.c
index ea7b42a1e5..2b8a7c8267 100644
--- a/ext/standard/filestat.c
+++ b/ext/standard/filestat.c
@@ -613,8 +613,11 @@ static void php_stat(const char *filename, php_stat_len filename_length, int typ
 			if (!IS_LINK_OPERATION(type) && (!IS_EXISTS_CHECK(type) || (errno != ENOENT && errno != ENOTDIR))) { /* fileexists() test must print no error */
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Stat failed for %s (errno=%d - %s)", BG(CurrentStatFile), errno, strerror(errno));
 			}
-			efree(BG(CurrentStatFile));
-			BG(CurrentStatFile) = NULL;
+			/* This could be null if a failed stat leads to a user error handler which calls a failed stat */
+			if (BG(CurrentStatFile)) {
+				efree(BG(CurrentStatFile));
+				BG(CurrentStatFile) = NULL;
+			}
 #if HAVE_SYMLINK
 			if (!IS_LINK_OPERATION(type))  /* Don't require success for link operation */
 #endif