From 9191862121411858036b0d2a06c3a99229c8bd24 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 5 May 2016 11:02:21 +0800
Subject: Fixed bug #72162 (use-after-free - error_reporting)

---
 Zend/zend_builtin_functions.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'Zend/zend_builtin_functions.c')

diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index a576455fa3..558a1b2ac6 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -704,7 +704,8 @@ ZEND_FUNCTION(error_reporting)
 #endif
 
 	old_error_reporting = EG(error_reporting);
-	if(ZEND_NUM_ARGS() != 0) {
+	if (ZEND_NUM_ARGS() != 0) {
+		zend_string *new_val = zval_get_string(err);
 		do {
 			zend_ini_entry *p = EG(error_reporting_ini_entry);
 
@@ -730,7 +731,7 @@ ZEND_FUNCTION(error_reporting)
 				zend_string_release(p->value);
 			}
 
-			p->value = zval_get_string(err);
+			p->value = new_val;
 			if (Z_TYPE_P(err) == IS_LONG) {
 				EG(error_reporting) = Z_LVAL_P(err);
 			} else {
-- 
cgit v1.2.1