Merge branch 'PHP-7.0' into PHP-7.1

3 files changed, 15 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 89c0485b4f..c024d7ad37 100644
--- a/NEWS
+++ b/NEWS
@@ -33,6 +33,8 @@ PHP                                                                        NEWS
     zero-width). (cmb)
   . Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last
     position). (cmb)
+  . Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
+    (ju1ius)
 
 - Mysqlnd:
   . Fixed bug #71863 (Segfault when EXPLAIN with "Unknown column" error when
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index fd103abf19..db37bd3739 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -454,7 +454,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 	rc = zend_hash_str_find_ptr(&MBREX(ht_rc), (char *)pattern, patlen);
 	if (!rc || rc->options != options || rc->enc != enc || rc->syntax != syntax) {
 		if ((err_code = onig_new(&retval, (OnigUChar *)pattern, (OnigUChar *)(pattern + patlen), options, enc, syntax, &err_info)) != ONIG_NORMAL) {
-			onig_error_code_to_str(err_str, err_code, err_info);
+			onig_error_code_to_str(err_str, err_code, &err_info);
 			php_error_docref(NULL, E_WARNING, "mbregex compile err: %s", err_str);
 			retval = NULL;
 			goto out;
diff --git a/ext/mbstring/tests/bug72710.phpt b/ext/mbstring/tests/bug72710.phpt
new file mode 100644
index 0000000000..19becc5010
--- /dev/null
+++ b/ext/mbstring/tests/bug72710.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip ext/mbstring required');
+?>
+--FILE--
+<?php
+mb_ereg('(?<0>a)', 'a');
+?>
+--EXPECTF--
+Warning: mb_ereg(): mbregex compile err: invalid group name <0> in %s on line %d