Fix #72994: mbc_to_code() out of bounds read

We're backporting commit 999a3553 to the still supported PHP 5.6.

3 files changed, 25 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 95d23f2b3d..8f385297c3 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
     (cmb)
 
+- Mbstring:
+  . Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
+
 15 Sep 2016, PHP 5.6.26
 
 - Core:
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 7e9756fa15..a1cabb164b 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 	OnigUChar *pos;
 	OnigUChar *string_lim;
 	char *description = NULL;
-	char pat_buf[2];
+	char pat_buf[6];
 
 	const mbfl_encoding *enc;
 
@@ -862,6 +862,10 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 		convert_to_long_ex(arg_pattern_zval);
 		pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
 		pat_buf[1] = '\0';
+		pat_buf[2] = '\0';
+		pat_buf[3] = '\0';
+		pat_buf[4] = '\0';
+		pat_buf[5] = '\0';
 
 		arg_pattern = pat_buf;
 		arg_pattern_len = 1;
diff --git a/ext/mbstring/tests/bug72994.phpt b/ext/mbstring/tests/bug72994.phpt
new file mode 100644
index 0000000000..1d37bae7be
--- /dev/null
+++ b/ext/mbstring/tests/bug72994.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72994 (mbc_to_code() out of bounds read)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+if (!function_exists('mbereg_replace')) die('skip mbereg_replace() not available');
+?>
+--FILE--
+<?php
+$var1 = mbereg_replace($var-232338951,NULL,NULL,NULL);
+var_dump($var1);
+?>
+===DONE===
+--EXPECTF--
+Notice: Undefined variable: var in %s on line %d
+string(0) ""
+===DONE===