FPM: Fix use after free in fpm_evaluate_full_path

hwde · devnexen · commit a83363e3612e · 2022-06-16T12:18:01.000+01:00
Closes #8796.
diff --git a/NEWS b/NEWS
@@ -45,6 +45,7 @@ PHP                                                                        NEWS
   . Fixed ACL build check on MacOS. (David Carlier)
   . Fixed bug #72185: php-fpm writes empty fcgi record causing nginx 502.
     (Jakub Zelenka, loveharmful)
+  . Fixes use after free. (Heiko Weber).
 
 - Mysqlnd:
   . Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c
@@ -766,8 +766,8 @@ static int fpm_evaluate_full_path(char **path, struct fpm_worker_pool_s *wp, cha
 			}
 
 			if (strlen(*path) > strlen("$prefix")) {
-				free(*path);
 				tmp = strdup((*path) + strlen("$prefix"));
+				free(*path);
 				*path = tmp;
 			} else {
 				free(*path);

Original file line number	Diff line number	Diff line change
`@@ -766,8 +766,8 @@ static int fpm_evaluate_full_path(char *path, struct fpm_worker_pool_s wp, cha`
`766`	`766`	`}`
`767`	`767`
`768`	`768`	`if (strlen(*path) > strlen("$prefix")) {`
`769`		`- free(*path);`
`770`	`769`	`tmp = strdup((*path) + strlen("$prefix"));`
	`770`	`+ free(*path);`
`771`	`771`	`*path = tmp;`
`772`	`772`	`} else {`
`773`	`773`	`free(*path);`