diff options
| author | Xinchen Hui <laruence@gmail.com> | 2016-12-09 15:55:07 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2016-12-09 15:55:07 +0800 |
| commit | 6a43c61bcdedf54b1736e608f0919bacdba6ed00 (patch) | |
| tree | 1dafb472fa05f37a56f9c8a327efd80303bef27c | |
| parent | 4faa540b45fce018252cd00751d3a5002ad3d00a (diff) | |
| download | php-git-6a43c61bcdedf54b1736e608f0919bacdba6ed00.tar.gz | |
Fixed bug #73646 (mb_ereg_search_init null pointer dereference)
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 12 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug73646.phpt | 11 |
3 files changed, 21 insertions, 6 deletions
@@ -6,6 +6,10 @@ PHP NEWS . Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()). (Laruence) +- Mbstring: + . Fixed bug #73646 (mb_ereg_search_init null pointer dereference). + (Laruence) + - Opcache: . Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita) . Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index cf341d3599..50f6210b30 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -1345,13 +1345,13 @@ PHP_FUNCTION(mb_ereg_search_regs) PHP_FUNCTION(mb_ereg_search_init) { size_t argc = ZEND_NUM_ARGS(); - zval *arg_str; + zend_string *arg_str; char *arg_pattern = NULL, *arg_options = NULL; size_t arg_pattern_len = 0, arg_options_len = 0; OnigSyntaxType *syntax = NULL; OnigOptionType option; - if (zend_parse_parameters(argc, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) { + if (zend_parse_parameters(argc, "S|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) { return; } @@ -1379,17 +1379,17 @@ PHP_FUNCTION(mb_ereg_search_init) zval_ptr_dtor(&MBREX(search_str)); } - ZVAL_DUP(&MBREX(search_str), arg_str); + ZVAL_STR_COPY(&MBREX(search_str), arg_str); if (php_mb_check_encoding( - Z_STRVAL_P(arg_str), - Z_STRLEN_P(arg_str), + ZSTR_VAL(arg_str), + ZSTR_LEN(arg_str), _php_mb_regex_mbctype2name(MBREX(current_mbctype)) )) { MBREX(search_pos) = 0; RETVAL_TRUE; } else { - MBREX(search_pos) = Z_STRLEN_P(arg_str); + MBREX(search_pos) = ZSTR_LEN(arg_str); RETVAL_FALSE; } diff --git a/ext/mbstring/tests/bug73646.phpt b/ext/mbstring/tests/bug73646.phpt new file mode 100644 index 0000000000..a6aefb22d4 --- /dev/null +++ b/ext/mbstring/tests/bug73646.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #73646 (mb_ereg_search_init null pointer dereference) +--FILE-- +<?php + +$v1=str_repeat("#", -1); +var_dump(mb_ereg_search_init($v1)); +?> +--EXPECTF-- +Warning: str_repeat(): Second argument has to be greater than or equal to 0 in %sbug73646.php on line %d +bool(true) |