From 58df9fcf98350af60d6eea3425e563946d5c897b Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 24 Oct 2025 10:21:26 +0200
Subject: [PATCH] Fix UAF in tidy when tidySetErrorBuffer() fails

We should not free `intern` as its stored in the object store as well,
so the object store will already free it, leading to a UAF when the
object store tries to read the object's fields.

Closes GH-20276.
---
 NEWS            | 2 +-
 ext/tidy/tidy.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 0ecf44b4c4c..01b077a7b83 100644
--- a/NEWS
+++ b/NEWS
@@ -74,10 +74,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect
     condition for Win32/Win64. (Jakub Zelenka)
 
-
 - Tidy:
   . Fixed GH-19021 (improved tidyOptGetCategory detection).
     (arjendekorte, David Carlier, Peter Kokot)
+  . Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos)
 
 - XMLReader:
   . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index a42e2bc2037..434d5a8493b 100644
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -434,7 +434,7 @@ static zend_object *tidy_object_new(zend_class_entry *class_type, zend_object_ha
 				efree(intern->ptdoc->errbuf);
 				tidyRelease(intern->ptdoc->doc);
 				efree(intern->ptdoc);
-				efree(intern);
+				/* TODO: convert to exception */
 				php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer");
 			}