diff options
| author | Stanislav Malyshev <stas@php.net> | 2012-08-28 22:02:15 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2012-08-28 22:02:15 -0700 |
| commit | ab566a9712eccad8939261934366a3ea2656c8df (patch) | |
| tree | 8a4e4d9941f25991e9da0346ea8c17c023dcefe6 | |
| parent | 6b1073a3a7030d70a684638f098dbf22affb5c63 (diff) | |
| parent | 8b3c1a380a182655113b94b0b96551e98d05a8d3 (diff) | |
| download | php-git-ab566a9712eccad8939261934366a3ea2656c8df.tar.gz | |
Merge branch 'PHP-5.4'
* PHP-5.4:
fix bug #55856: preg_replace should fail on trailing garbage
Bug #62956: fixing private method signature validation
NEWS for 886a50a
| -rw-r--r-- | ext/pcre/php_pcre.c | 32 | ||||
| -rw-r--r-- | ext/pcre/tests/null_bytes.phpt | 42 |
2 files changed, 62 insertions, 12 deletions
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 6b0a41fbed..6d393a26a7 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -275,7 +275,8 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le get to the end without encountering a delimiter. */ while (isspace((int)*(unsigned char *)p)) p++; if (*p == 0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty regular expression"); + php_error_docref(NULL TSRMLS_CC, E_WARNING, + p < regex + regex_len ? "Null byte in regex" : "Empty regular expression"); return NULL; } @@ -292,21 +293,18 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le delimiter = pp[5]; end_delimiter = delimiter; + pp = p; + if (start_delimiter == end_delimiter) { /* We need to iterate through the pattern, searching for the ending delimiter, but skipping the backslashed delimiters. If the ending delimiter is not found, display a warning. */ - pp = p; while (*pp != 0) { if (*pp == '\\' && pp[1] != 0) pp++; else if (*pp == delimiter) break; pp++; } - if (*pp == 0) { - php_error_docref(NULL TSRMLS_CC,E_WARNING, "No ending delimiter '%c' found", delimiter); - return NULL; - } } else { /* We iterate through the pattern, searching for the matching ending * delimiter. For each matching starting delimiter, we increment nesting @@ -314,7 +312,6 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le * reach the end of the pattern without matching, display a warning. */ int brackets = 1; /* brackets nesting level */ - pp = p; while (*pp != 0) { if (*pp == '\\' && pp[1] != 0) pp++; else if (*pp == end_delimiter && --brackets <= 0) @@ -323,10 +320,17 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le brackets++; pp++; } - if (*pp == 0) { - php_error_docref(NULL TSRMLS_CC,E_WARNING, "No ending matching delimiter '%c' found", end_delimiter); - return NULL; + } + + if (*pp == 0) { + if (pp < regex + regex_len) { + php_error_docref(NULL TSRMLS_CC,E_WARNING, "Null byte in regex"); + } else if (start_delimiter == end_delimiter) { + php_error_docref(NULL TSRMLS_CC,E_WARNING, "No ending delimiter '%c' found", delimiter); + } else { + php_error_docref(NULL TSRMLS_CC,E_WARNING, "No ending matching delimiter '%c' found", delimiter); } + return NULL; } /* Make a copy of the actual pattern. */ @@ -337,7 +341,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le /* Parse through the options, setting appropriate flags. Display a warning if we encounter an unknown modifier. */ - while (*pp != 0) { + while (pp < regex + regex_len) { switch (*pp++) { /* Perl compatible options */ case 'i': coptions |= PCRE_CASELESS; break; @@ -368,7 +372,11 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le break; default: - php_error_docref(NULL TSRMLS_CC,E_WARNING, "Unknown modifier '%c'", pp[-1]); + if (pp[-1]) { + php_error_docref(NULL TSRMLS_CC,E_WARNING, "Unknown modifier '%c'", pp[-1]); + } else { + php_error_docref(NULL TSRMLS_CC,E_WARNING, "Null byte in regex"); + } efree(pattern); return NULL; } diff --git a/ext/pcre/tests/null_bytes.phpt b/ext/pcre/tests/null_bytes.phpt new file mode 100644 index 0000000000..9a3f433ffb --- /dev/null +++ b/ext/pcre/tests/null_bytes.phpt @@ -0,0 +1,42 @@ +--TEST-- +Zero byte test +--FILE-- +<?php + +preg_match("\0//i", ""); +preg_match("/\0/i", ""); +preg_match("//\0i", ""); +preg_match("//i\0", ""); +preg_match("/\\\0/i", ""); + +preg_match("\0[]i", ""); +preg_match("[\0]i", ""); +preg_match("[]\0i", ""); +preg_match("[]i\0", ""); +preg_match("[\\\0]i", ""); + +preg_replace("/foo/e\0/i", "echo('Eek');", ""); + +?> +--EXPECTF-- +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 3 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 4 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 5 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 6 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 7 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 9 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 10 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 11 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 12 + +Warning: preg_match(): Null byte in regex in %snull_bytes.php on line 13 + +Warning: preg_replace(): Null byte in regex in %snull_bytes.php on line 15 |