- Fixed two memory issues:

  - In the first one we were calculating the tmp_len wrong which made the
	u_strFromUTF32() function try to convert too many code points.
  - The second issue was a bit more subtle as the "what" string wasn't
	duplicated but still modified. This string is passed as data to the
	function and this kind of data the engine tries to free when the function
	ends. Because we were re-allocating the data the original memory location
	was already freed resulting in a double free error when the engine tries to
	free the argument as it was passed to the function.

1 files changed, 7 insertions, 2 deletions

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 137e3b1053..523615d2c8 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -632,8 +632,8 @@ static int php_expand_u_trim_range(UChar **range, int *range_len TSRMLS_DC)
 	for ( idx = 0, end = input+len ; input < end ; input++ ) {
 		c = input[0];
 		if ( (input+3 < end) && input[1] == '.' && input[2] == '.' && input[3] >= c ) {
-			tmp_len += (input[3] - c + 1);
-			tmp = (UChar32 *)erealloc(tmp, tmp_len*sizeof(UChar32));
+			tmp_len += (input[3] - c + 1 - 4);
+			tmp = (UChar32 *)erealloc(tmp, (tmp_len+1)*sizeof(UChar32));
 			for ( ; c <= input[3] ; c++ ) {
 				if ( U_IS_UNICODE_CHAR(c) ) tmp[idx++] = c;
 			}
@@ -700,6 +700,7 @@ static UChar *php_u_trim(UChar *c, int len, UChar *what, int what_len, zval *ret
 	int32_t	start = 0, end = len;
 
 	if ( what ) {
+		what = eustrndup(what, what_len);
 		php_expand_u_trim_range(&what, &what_len TSRMLS_CC);
 	}
 
@@ -738,6 +739,10 @@ static UChar *php_u_trim(UChar *c, int len, UChar *what, int what_len, zval *ret
 	} else {
 		--end;
 	}
+	if ( what )
+	{
+		efree( what );
+	}
 
 	if ( start < len ) {
 		if ( return_value ) {