diff options
author | Sara Golemon <pollita@php.net> | 2004-07-16 05:08:15 +0000 |
---|---|---|
committer | Sara Golemon <pollita@php.net> | 2004-07-16 05:08:15 +0000 |
commit | 184917eb1f90744f13ac93d86bcaa35098127830 (patch) | |
tree | 722146c2c18e920a76f2912356e94375e86dbc45 | |
parent | 4bed8c9537df6b0413442277a92bbe5152237dba (diff) | |
download | php-git-184917eb1f90744f13ac93d86bcaa35098127830.tar.gz |
Bugfix# 29114 Potential double free in php_stat
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/standard/filestat.c | 7 |
2 files changed, 7 insertions, 3 deletions
@@ -6,7 +6,8 @@ PHP 4 NEWS for doing performance stats without warnings in server-log. (Uwe Schindler) - Fixed bug #29116 (Zend constant warning uses memory after free). (Marcus, jdolecek at NetBSD dot org) -- Fixed Bug #29075 (strnatcmp() incorrectly handles whitespace). (Curt, Ilia) +- Fixed bug #29114 (Potential double free in php_stat). (Sara) +- Fixed bug #29075 (strnatcmp() incorrectly handles whitespace). (Curt, Ilia) - Fixed bug #29049 (array sorting via user function/method does not validate it). (Ilia) - Fixed bug #29038 (extract() with EXTR_PREFIX_SAME prefixes empty strings). diff --git a/ext/standard/filestat.c b/ext/standard/filestat.c index ea7b42a1e5..2b8a7c8267 100644 --- a/ext/standard/filestat.c +++ b/ext/standard/filestat.c @@ -613,8 +613,11 @@ static void php_stat(const char *filename, php_stat_len filename_length, int typ if (!IS_LINK_OPERATION(type) && (!IS_EXISTS_CHECK(type) || (errno != ENOENT && errno != ENOTDIR))) { /* fileexists() test must print no error */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Stat failed for %s (errno=%d - %s)", BG(CurrentStatFile), errno, strerror(errno)); } - efree(BG(CurrentStatFile)); - BG(CurrentStatFile) = NULL; + /* This could be null if a failed stat leads to a user error handler which calls a failed stat */ + if (BG(CurrentStatFile)) { + efree(BG(CurrentStatFile)); + BG(CurrentStatFile) = NULL; + } #if HAVE_SYMLINK if (!IS_LINK_OPERATION(type)) /* Don't require success for link operation */ #endif |