diff options
| author | Stanislav Malyshev <stas@php.net> | 2018-12-29 20:06:08 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-01-06 11:38:46 -0800 |
| commit | c6e34d91b88638966662caac62c4d0e90538e317 (patch) | |
| tree | 39e03f43dd7c2f2fb83361ce2166197f3f32eb3a | |
| parent | deb06bbb9cbb31292fc219501614a8c3ff25bb11 (diff) | |
| download | php-git-c6e34d91b88638966662caac62c4d0e90538e317.tar.gz | |
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
| -rw-r--r-- | ext/mbstring/oniguruma/regcomp.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug77371.phpt | 10 |
2 files changed, 11 insertions, 0 deletions
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c index b93ca948a7..c72d65d694 100644 --- a/ext/mbstring/oniguruma/regcomp.c +++ b/ext/mbstring/oniguruma/regcomp.c @@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg) for (; p < end; ) { len = enclen(enc, p); + if (p + len > end) len = end - p; if (len == prev_len) { slen++; } diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt new file mode 100644 index 0000000000..f23445bd09 --- /dev/null +++ b/ext/mbstring/tests/bug77371.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) +?> +--EXPECT-- +bool(false)
\ No newline at end of file |