Fixed bug #6740.

I happen to think that this is php_addslashes() problem, not PCRE's.
When 0 is passed for the length of the string to php_addslashes() it
assumes that we want to process the whole string and happily runs
strlen() on it. That is bad. It should respect the length and return
an empty string if it's 0.

1 files changed, 8 insertions, 2 deletions

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 68b112ab8f..877eecb152 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -560,7 +560,12 @@ static int preg_do_eval(char *eval_str, int eval_str_len, char *subject,
 			   in instead of the backref */
 			match = subject + offsets[backref<<1];
 			match_len = offsets[(backref<<1)+1] - offsets[backref<<1];
-			esc_match = php_addslashes(match, match_len, &esc_match_len, 0);
+			if (match_len)
+				esc_match = php_addslashes(match, match_len, &esc_match_len, 0);
+			else {
+				esc_match = match;
+				esc_match_len = 0;
+			}
 			sprintf(backref_buf, "\\%d", backref);
 			new_code = php_str_to_str(code, code_len,
 									  backref_buf, (backref > 9) ? 3 : 2,
@@ -570,7 +575,8 @@ static int preg_do_eval(char *eval_str, int eval_str_len, char *subject,
 			walk = new_code + (walk - code) + match_len;
 			
 			/* Clean up and reassign */
-			efree(esc_match);
+			if (esc_match_len)
+				efree(esc_match);
 			efree(code);
 			code = new_code;
 			code_len = new_code_len;