From 81326efabee10d9b5f74e32a50bee4684b1fb4af Mon Sep 17 00:00:00 2001 From: Michael Wallner Date: Wed, 9 Jul 2014 11:15:47 +0200 Subject: [PATCH] fix use after free if the closure returns true --- php_http_client.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/php_http_client.c b/php_http_client.c index 8a166fc..f96164b 100644 --- a/php_http_client.c +++ b/php_http_client.c @@ -377,6 +377,7 @@ static void handle_history(zval *zclient, php_http_message_t *request, php_http_ static STATUS handle_response(void *arg, php_http_client_t *client, php_http_client_enqueue_t *e, php_http_message_t **request, php_http_message_t **response) { + zend_bool dequeue = 0; zval zclient; php_http_message_t *msg; php_http_client_progress_state_t *progress; @@ -430,8 +431,8 @@ static STATUS handle_response(void *arg, php_http_client_t *client, php_http_cli zend_fcall_info_argn(&e->closure.fci TSRMLS_CC, 0); if (retval) { - if (Z_TYPE_P(retval) == IS_BOOL && Z_BVAL_P(retval)) { - php_http_client_dequeue(client, e->request); + if (Z_TYPE_P(retval) == IS_BOOL) { + dequeue = Z_BVAL_P(retval); } zval_ptr_dtor(&retval); } @@ -447,6 +448,10 @@ static STATUS handle_response(void *arg, php_http_client_t *client, php_http_cli client->callback.progress.func(client->callback.progress.arg, client, e, progress); } + if (dequeue) { + php_http_client_dequeue(client, e->request); + } + return SUCCESS; } -- 2.30.2