Description:
------------
The crash happens when client sends HTTP_AUTHORIZATION header starting with "Digest " once and then makes another request with no authorization request specified. Underlying reason is that SG(request_info).auth_digest is set on the first request and later freed when the request is finished, but SG(request_info).auth_digest is never cleared. Thus on next request SG(request_info).auth_digest still contains the old pointer and once the request shutdown is performed the already freed pointer is accessed.

Patch below fixes it, though using sapi_initialize_empty_request on appropriate place might be a better fix.

--- sapi\isapi\php5isapi.c
+++ sapi\isapi\php5isapi.c
@@ -711,6 +711,7 @@
 		case SF_NOTIFY_PREPROC_HEADERS:
 			SG(request_info).auth_user = NULL;
 			SG(request_info).auth_password = NULL;
+			SG(request_info).auth_digest = NULL;
 			break;
 		case SF_NOTIFY_AUTHENTICATION: {
 				char *auth_user = ((HTTP_FILTER_AUTHENT *) pvNotification)->pszUser;
@@ -745,7 +746,7 @@
 	SG(request_info).content_length = lpECB->cbTotalBytes;
 	SG(sapi_headers).http_response_code = 200;  /* I think dwHttpStatusCode is invalid at this stage -RL */
 	if (!bFilterLoaded) { /* we don't have valid ISAPI Filter information */
-		SG(request_info).auth_user = SG(request_info).auth_password = NULL;
+		SG(request_info).auth_user = SG(request_info).auth_password = SG(request_info).auth_digest = NULL;
 	}
 
 #ifdef WITH_ZEUS