Fix concat_function use-after-free on out-of-memory error

iluuu1994 · iluuu1994 · commit 77eaa433228f · 2023-05-22T17:36:05.000+02:00
Introduced by phpGH-10049
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -2048,11 +2048,6 @@ has_op2_string:;
 		}
 
 		if (result == op1) {
-			if (free_op1_string) {
-				/* op1_string will be used as the result, so we should not free it */
-				i_zval_ptr_dtor(result);
-				free_op1_string = false;
-			}
 			/* special case, perform operations on result */
 			result_str = zend_string_extend(op1_string, result_len, 0);
 			/* account for the case where result_str == op1_string == op2_string and the realloc is done */
@@ -2063,6 +2058,14 @@ has_op2_string:;
 				}
 				op2_string = result_str;
 			}
+			/* Free result last, as zend_string_extend() may throw an out-of-memory error. If we free
+			 * it before we would leave the released variable on the stack with shutdown trying to
+			 * freeing it again. */
+			if (free_op1_string) {
+				/* op1_string will be used as the result, so we should not free it */
+				i_zval_ptr_dtor(result);
+				free_op1_string = false;
+			}
 		} else {
 			result_str = zend_string_alloc(result_len, 0);
 			memcpy(ZSTR_VAL(result_str), ZSTR_VAL(op1_string), op1_len);
