Fixed bug #77428

mb_ereg_replace historically has not supported escaping backslashes
with backslashes. Go back to that behavior for BC reasons.

2 files changed, 17 insertions, 1 deletions

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 85219b00e4..cc96e04f39 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -791,7 +791,9 @@ static inline void mb_regex_substitute(
 				no = onig_name_to_backref_number(regexp, (OnigUChar *)name, (OnigUChar *)name_end, regs);
 				break;
 			default:
-				p += clen;
+				/* We're not treating \ as an escape character and will interpret something like
+				 * \\1 as \ followed by \1, rather than \\ followed by 1. This is because this
+				 * function has not supported escaping of backslashes historically. */
 				smart_str_appendl(pbuf, sp, p - sp);
 				continue;
 		}
diff --git a/ext/mbstring/tests/bug77428.phpt b/ext/mbstring/tests/bug77428.phpt
new file mode 100644
index 0000000000..f153412acb
--- /dev/null
+++ b/ext/mbstring/tests/bug77428.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #77428: mb_ereg_replace() doesn't replace a substitution variable 
+--FILE--
+<?php
+
+// This behavior is broken, but kept for BC reasons
+var_dump(mb_ereg_replace('(%)', '\\\1', 'a%c'));
+// For clarify, the above line is equivalent to:
+var_dump(mb_ereg_replace('(%)', '\\\\1', 'a%c'));
+
+?>
+--EXPECT--
+string(4) "a\%c"
+string(4) "a\%c"