Merge branch 'PHP-8.3' into PHP-8.4

ndossche · ndossche · commit 9e4fbb5ca85e · 2025-10-24T21:20:43.000+02:00
* PHP-8.3:
  Fix UAF in tidy when tidySetErrorBuffer() fails
diff --git a/NEWS b/NEWS
@@ -82,6 +82,7 @@ PHP                                                                        NEWS
 - Tidy:
   . Fixed GH-19021 (improved tidyOptGetCategory detection).
     (arjendekorte, David Carlier, Peter Kokot)
+  . Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos)
 
 - XMLReader:
   . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
@@ -447,7 +447,7 @@ static zend_object *tidy_object_new(zend_class_entry *class_type, zend_object_ha
 				efree(intern->ptdoc->errbuf);
 				tidyRelease(intern->ptdoc->doc);
 				efree(intern->ptdoc);
-				efree(intern);
+				/* TODO: convert to exception */
 				php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer");
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -447,7 +447,7 @@ static zend_object tidy_object_new(zend_class_entry class_type, zend_object_ha`
`447`	`447`	`efree(intern->ptdoc->errbuf);`
`448`	`448`	`tidyRelease(intern->ptdoc->doc);`
`449`	`449`	`efree(intern->ptdoc);`
`450`		`- efree(intern);`
	`450`	`+ /* TODO: convert to exception */`
`451`	`451`	`php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer");`
`452`	`452`	`}`
`453`	`453`