MFH: fix segfault/leak, add test

2 files changed, 86 insertions, 13 deletions

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index e10802be9f..4c381c3755 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -518,7 +518,7 @@ PHP_FUNCTION(mb_regex_encoding)
 static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
 {
 	zval tmp;
-	zval *arg_pattern, *array;
+	zval **arg_pattern, *array;
 	char *string;
 	int string_len;
 	php_mb_regex_t *re;
@@ -529,7 +529,7 @@ static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
 
 	array = NULL;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "zs|z", &arg_pattern, &string, &string_len, &array) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zs|z", &arg_pattern, &string, &string_len, &array) == FAILURE) {
 		RETURN_FALSE;
 	}
 
@@ -539,18 +539,15 @@ static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
 	}
 
 	/* compile the regular expression from the supplied regex */
-	if (Z_TYPE_P(arg_pattern) != IS_STRING) {
+	if (Z_TYPE_PP(arg_pattern) != IS_STRING) {
 		/* we convert numbers to integers and treat them as a string */
-		tmp = *arg_pattern;
-		zval_copy_ctor(&tmp);
-		if (Z_TYPE_P(&tmp) == IS_DOUBLE) {
-			convert_to_long(&tmp);	/* get rid of decimal places */
+		if (Z_TYPE_PP(arg_pattern) == IS_DOUBLE) {
+			convert_to_long_ex(arg_pattern);	/* get rid of decimal places */
 		}
-		convert_to_string(&tmp);
-		arg_pattern = &tmp;
+		convert_to_string_ex(arg_pattern);
 		/* don't bother doing an extended regex with just a number */
 	}
-	re = php_mbregex_compile_pattern(Z_STRVAL_P(arg_pattern), Z_STRLEN_P(arg_pattern), options, MBSTRG(current_mbctype), MBSTRG(regex_default_syntax) TSRMLS_CC);
+	re = php_mbregex_compile_pattern(Z_STRVAL_PP(arg_pattern), Z_STRLEN_PP(arg_pattern), options, MBSTRG(current_mbctype), MBSTRG(regex_default_syntax) TSRMLS_CC);
 	if (re == NULL) {
 		RETVAL_FALSE;
 		goto out;
@@ -590,9 +587,6 @@ out:
 	if (regs != NULL) {
 		onig_region_free(regs, 1);
 	}
-	if (arg_pattern == &tmp) {
-		zval_dtor(&tmp);
-	}
 }
 /* }}} */
 
diff --git a/ext/mbstring/tests/mb_ereg1.phpt b/ext/mbstring/tests/mb_ereg1.phpt
new file mode 100644
index 0000000000..e420312da1
--- /dev/null
+++ b/ext/mbstring/tests/mb_ereg1.phpt
@@ -0,0 +1,79 @@
+--TEST--
+mb_ereg() and invalid arguments
+--SKIPIF--
+<?php if (!function_exists("mb_ereg")) print "skip"; ?>
+--FILE--
+<?php
+
+$a = array(
+	array(1,2,3),
+	array("", "", ""),
+	array(array(), 1, ""),
+	array(1, array(), ""),
+	array(1, "", array()),
+	);
+
+foreach ($a as $args) {
+	var_dump(mb_ereg($args[0], $args[1], $args[2]));
+	var_dump($args);
+}
+
+echo "Done\n";
+?>
+--EXPECTF--	
+bool(false)
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  int(2)
+  [2]=>
+  int(3)
+}
+int(1)
+array(3) {
+  [0]=>
+  string(0) ""
+  [1]=>
+  string(0) ""
+  [2]=>
+  array(1) {
+    [0]=>
+    bool(false)
+  }
+}
+
+Notice: Array to string conversion in %s on line %d
+bool(false)
+array(3) {
+  [0]=>
+  array(0) {
+  }
+  [1]=>
+  int(1)
+  [2]=>
+  string(0) ""
+}
+
+Warning: mb_ereg() expects parameter 2 to be string, array given in %s on line %d
+bool(false)
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  array(0) {
+  }
+  [2]=>
+  string(0) ""
+}
+bool(false)
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  string(0) ""
+  [2]=>
+  array(0) {
+  }
+}
+Done