From 920a0afbf8f83962c70aaf9a144810f320be92b3 Mon Sep 17 00:00:00 2001

From: Xinchen Hui <laruence@php.net>

Date: Thu, 29 Jan 2015 00:00:09 +0800

Subject: [PATCH] Fixed bug #68901 (use after free)

---

 NEWS                   | 3 +++

 ext/phar/phar_object.c | 2 +-

 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c

index a021200..add1fa0 100644

--- a/ext/phar/phar_object.c

+++ b/ext/phar/phar_object.c

@@ -2139,8 +2139,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c

 	}

 its_ok:

 	if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {

-		efree(oldpath);

 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);

+		efree(oldpath);

 		return NULL;

 	}

 	if (!phar->is_data) {