Fix #75282: xmlrpc_encode_request() crashes

Since we allow ext/xmlrpc to be built against a system libxmlrpc(-epi),
we must not `efree` memory which has been allocated via `malloc`.  To
distinguish bundled and system libxmlrpc(-epi) we introduce the macro
`HAVE_XMLRPC_BUNDLED` (analogous to how it is done by ext/gd).  We
deliberately keep the ugly `#ifdef`s, instead of tucking them away in
an `XMLRPC_FREE()` macro, to not forget that it is a bad idea to fork
and bundle a library, but to also allow building against an unpatched
system lib.

1 files changed, 12 insertions, 0 deletions

diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c
index 97e04eb2ca..36fbff123c 100644
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -701,7 +701,11 @@ PHP_FUNCTION(xmlrpc_encode_request)
 			outBuf = XMLRPC_REQUEST_ToXML(xRequest, 0);
 			if (outBuf) {
 				RETVAL_STRING(outBuf);
+#ifdef HAVE_XMLRPC_BUNDLED
 				efree(outBuf);
+#else
+				free(outBuf);
+#endif
 			}
 			XMLRPC_RequestFree(xRequest, 1);
 		}
@@ -735,7 +739,11 @@ PHP_FUNCTION(xmlrpc_encode)
 		if (xOut) {
 			if (outBuf) {
 				RETVAL_STRING(outBuf);
+#ifdef HAVE_XMLRPC_BUNDLED
 				efree(outBuf);
+#else
+				free(outBuf);
+#endif
 			}
 			/* cleanup */
 			XMLRPC_CleanupValue(xOut);
@@ -1102,7 +1110,11 @@ PHP_FUNCTION(xmlrpc_server_call_method)
 				outBuf = XMLRPC_REQUEST_ToXML(xResponse, &buf_len);
 				if (outBuf) {
 					RETVAL_STRINGL(outBuf, buf_len);
+#ifdef HAVE_XMLRPC_BUNDLED
 					efree(outBuf);
+#else
+					free(outBuf);
+#endif
 				}
 				/* cleanup after ourselves.  what a sty! */
 				XMLRPC_RequestFree(xResponse, 0);