diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-12-29 14:17:23 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-07 13:46:49 +0100 |
| commit | 11ce508ee3390d4e68542c9fdae1277e3e75a573 (patch) | |
| tree | 6cfba6293be6bcec8fccd8e7b27e7b09acd3346c | |
| parent | a15af81b5f0058e020eda0f109f51a3c863f5212 (diff) | |
| download | php-git-11ce508ee3390d4e68542c9fdae1277e3e75a573.tar.gz | |
Fix #77367: Negative size parameter in mb_split
When adding the last element to the result value of `mb_split`, the
`chunk_pos` may point beyond the end of the string, in which case the
unsigned `n` would underflow. Therefore, we check whether this is the
case in the first place, and only calculate `n` otherwise. Since `n`
is no longer used outside the block, we move its declaration inside.
(cherry picked from commit e617f03066ce81d26f56c06d6bd7787c7de08703)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 5 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug77367.phpt | 21 |
3 files changed, 26 insertions, 3 deletions
@@ -31,6 +31,9 @@ PHP NEWS use-after-free). (cmb) . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb) +- MBString: + . Fixed bug #77367 (Negative size parameter in mb_split). (Stas) + - OCI8: . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind) . Added oci_set_call_timeout() for call timeouts. diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 68922b6966..85219b00e4 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split) size_t string_len; int err; - size_t n; zend_long count = -1; if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) { @@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split) } /* otherwise we just have one last element to add to the array */ - n = ((OnigUChar *)(string + string_len) - chunk_pos); - if (n > 0) { + if ((OnigUChar *)(string + string_len) > chunk_pos) { + size_t n = ((OnigUChar *)(string + string_len) - chunk_pos); add_next_index_stringl(return_value, (char *)chunk_pos, n); } else { add_next_index_stringl(return_value, "", 0); diff --git a/ext/mbstring/tests/bug77367.phpt b/ext/mbstring/tests/bug77367.phpt new file mode 100644 index 0000000000..0ba76fd23c --- /dev/null +++ b/ext/mbstring/tests/bug77367.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #77367 (Negative size parameter in mb_split) +--SKIPIF-- +<?php +if (!extension_loaded('mbstring')) die('mbstring extension not available'); +if (!function_exists('mb_split')) die('mb_split() not available'); +?> +--FILE-- +<?php +mb_regex_encoding('UTF-8'); +var_dump(mb_split("\\w", "\xfc")); +?> +===DONE=== +--EXPECT-- +array(2) { + [0]=> + string(0) "" + [1]=> + string(0) "" +} +===DONE=== |