Fix #72994: mbc_to_code() out of bounds read

We're backporting commit 999a3553 to the still supported PHP 5.6.
author: Christoph M. Becker <cmbecker69@gmx.de> 2016-09-04 16:37:06 +0200
committer: Christoph M. Becker <cmbecker69@gmx.de> 2016-09-04 16:37:06 +0200
commit: b7259b71b430ed733441261f7cf1282f04bb80f1 (patch)
tree: d6c9ec7ebb9de1b57981b89e8fa98d9a58fe8592 /ext/mbstring/php_mbregex.c
parent: d58224136801ce93b013079557d1de4d068b9b99 (diff)
download: php-git-b7259b71b430ed733441261f7cf1282f04bb80f1.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 7e9756fa15..a1cabb164b 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 	OnigUChar *pos;
 	OnigUChar *string_lim;
 	char *description = NULL;
-	char pat_buf[2];
+	char pat_buf[6];
 
 	const mbfl_encoding *enc;
 
@@ -862,6 +862,10 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 		convert_to_long_ex(arg_pattern_zval);
 		pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
 		pat_buf[1] = '\0';
+		pat_buf[2] = '\0';
+		pat_buf[3] = '\0';
+		pat_buf[4] = '\0';
+		pat_buf[5] = '\0';
 
 		arg_pattern = pat_buf;
 		arg_pattern_len = 1;
author	Christoph M. Becker <cmbecker69@gmx.de>	2016-09-04 16:37:06 +0200
committer	Christoph M. Becker <cmbecker69@gmx.de>	2016-09-04 16:37:06 +0200
commit	b7259b71b430ed733441261f7cf1282f04bb80f1 (patch)
tree	d6c9ec7ebb9de1b57981b89e8fa98d9a58fe8592 /ext/mbstring/php_mbregex.c
parent	d58224136801ce93b013079557d1de4d068b9b99 (diff)
download	php-git-b7259b71b430ed733441261f7cf1282f04bb80f1.tar.gz