From e5aa3651470e5f741b16d4f3cd55b7ae6ac5d23a Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 28 Oct 2016 21:21:24 +0800
Subject: Fixed bug #73392 (A use-after-free in zend allocator management)

---
 ext/pcre/php_pcre.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'ext/pcre/php_pcre.c')

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 31c97cf975..b1ffe7f228 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1523,7 +1523,10 @@ static int preg_replace_impl(zval *return_value, zval *regex, zval *replace, zva
 				RETVAL_STR(result);
 			} else {
 				zend_string_release(result);
+				RETVAL_NULL();
 			}
+		} else {
+			RETVAL_NULL();
 		}
 	}
 
@@ -1616,7 +1619,6 @@ static PHP_FUNCTION(preg_replace_callback_array)
 		Z_PARAM_ZVAL_EX(zcount, 0, 1)
 	ZEND_PARSE_PARAMETERS_END();
 
-	ZVAL_UNDEF(&zv);
 	ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pattern), str_idx, replace) {
 		if (str_idx) {
 			ZVAL_STR_COPY(&regex, str_idx);
@@ -1645,10 +1647,6 @@ static PHP_FUNCTION(preg_replace_callback_array)
 
 		zval_ptr_dtor(&regex);
 
-		if (Z_ISUNDEF(zv)) {
-			RETURN_NULL();
-		}
-
 		ZVAL_COPY_VALUE(return_value, &zv);
 
 		if (UNEXPECTED(EG(exception))) {
-- 
cgit v1.2.1