Fix UAF in tidy when tidySetErrorBuffer() fails

ndossche · ndossche · commit 58df9fcf9835 · 2025-10-24T21:19:47.000+02:00
We should not free `intern` as its stored in the object store as well, so the object store will already free it, leading to a UAF when the object store tries to read the object's fields. Closes phpGH-20276.
diff --git a/NEWS b/NEWS
@@ -74,10 +74,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect
     condition for Win32/Win64. (Jakub Zelenka)
 
-
 - Tidy:
   . Fixed GH-19021 (improved tidyOptGetCategory detection).
     (arjendekorte, David Carlier, Peter Kokot)
+  . Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos)
 
 - XMLReader:
   . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
@@ -434,7 +434,7 @@ static zend_object *tidy_object_new(zend_class_entry *class_type, zend_object_ha
 				efree(intern->ptdoc->errbuf);
 				tidyRelease(intern->ptdoc->doc);
 				efree(intern->ptdoc);
-				efree(intern);
+				/* TODO: convert to exception */
 				php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer");
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -434,7 +434,7 @@ static zend_object tidy_object_new(zend_class_entry class_type, zend_object_ha`
`434`	`434`	`efree(intern->ptdoc->errbuf);`
`435`	`435`	`tidyRelease(intern->ptdoc->doc);`
`436`	`436`	`efree(intern->ptdoc);`
`437`		`- efree(intern);`
	`437`	`+ /* TODO: convert to exception */`
`438`	`438`	`php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer");`
`439`	`439`	`}`
`440`	`440`