From 62024e3a7e42fbad9d8af3d4cb80c2fbdb5af918 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 24 Oct 2025 10:21:26 +0200
Subject: [PATCH] Fix UAF in tidy when tidySetErrorBuffer() fails

We should not free `intern` as its stored in the object store as well,
so the object store will already free it, leading to a UAF when the
object store tries to read the object's fields.
---
 ext/tidy/tidy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index a42e2bc203770..434d5a8493bbe 100644
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -434,7 +434,7 @@ static zend_object *tidy_object_new(zend_class_entry *class_type, zend_object_ha
 				efree(intern->ptdoc->errbuf);
 				tidyRelease(intern->ptdoc->doc);
 				efree(intern->ptdoc);
-				efree(intern);
+				/* TODO: convert to exception */
 				php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer");
 			}