diff options
author | Stanislav Malyshev <stas@php.net> | 2018-12-29 19:51:24 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-01-06 11:33:44 -0800 |
commit | 20407d06ca3cb5eeb10f876a812b40c381574bcc (patch) | |
tree | 63b0bc637e5aeb2bb049afc2ee6810df815b590b | |
parent | a918020c03880e12ac9f38e11a4a3789491a5f85 (diff) | |
download | php-git-20407d06ca3cb5eeb10f876a812b40c381574bcc.tar.gz |
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
-rw-r--r-- | ext/mbstring/oniguruma/regparse.c | 9 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77370.phpt | 13 |
2 files changed, 22 insertions, 0 deletions
diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c index d2925f1e81..252ca18712 100644 --- a/ext/mbstring/oniguruma/regparse.c +++ b/ext/mbstring/oniguruma/regparse.c @@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) } #endif +#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) +# define UNEXPECTED(condition) __builtin_expect(condition, 0) +#else +# define UNEXPECTED(condition) (condition) +#endif + /* scan pattern methods */ #define PEND_VALUE 0 @@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) c = ONIGENC_MBC_TO_CODE(enc, p, end); \ pfetch_prev = p; \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PINC_S do { \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PFETCH_S(c) do { \ c = ONIGENC_MBC_TO_CODE(enc, p, end); \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt new file mode 100644 index 0000000000..c4d25582fe --- /dev/null +++ b/ext/mbstring/tests/bug77370.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #77370 (Buffer overflow on mb regex functions - fetch_token) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +var_dump(mb_split(" \xfd","")); +?> +--EXPECT-- +array(1) { + [0]=> + string(0) "" +} |