Fixed(attempt to) bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access)

according to ext/mbstring/oniguruma/enc/utf8.c, max bytes are 6
author: Xinchen Hui <laruence@gmail.com> 2016-06-15 14:54:57 +0800
committer: Xinchen Hui <laruence@gmail.com> 2016-06-15 14:54:57 +0800
commit: 999a3553d58c537b4919821855b2cc8fb62b0b2f (patch)
tree: 34afbc5ee8d7034368f8c3953fc593b6ce464980 /ext/mbstring
parent: 3d5641872239cbd4ec8855b05c90f94fb0d11d7e (diff)
download: php-git-999a3553d58c537b4919821855b2cc8fb62b0b2f.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index c1f9fc2560..2337926740 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 	OnigUChar *pos;
 	OnigUChar *string_lim;
 	char *description = NULL;
-	char pat_buf[4];
+	char pat_buf[6];
 
 	const mbfl_encoding *enc;
 
@@ -864,6 +864,8 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 		pat_buf[1] = '\0';
 		pat_buf[2] = '\0';
 		pat_buf[3] = '\0';
+		pat_buf[4] = '\0';
+		pat_buf[5] = '\0';
 
 		arg_pattern = pat_buf;
 		arg_pattern_len = 1;
author	Xinchen Hui <laruence@gmail.com>	2016-06-15 14:54:57 +0800
committer	Xinchen Hui <laruence@gmail.com>	2016-06-15 14:54:57 +0800
commit	999a3553d58c537b4919821855b2cc8fb62b0b2f (patch)
tree	34afbc5ee8d7034368f8c3953fc593b6ce464980 /ext/mbstring
parent	3d5641872239cbd4ec8855b05c90f94fb0d11d7e (diff)
download	php-git-999a3553d58c537b4919821855b2cc8fb62b0b2f.tar.gz