MFH:- Fixed bug #31911 (mb_ereg*_replace() crashes when replacement string is invalid

      PHP expression and 'e' option is used)

2 files changed, 27 insertions, 1 deletions

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 79ff22a503..3f8bca9d47 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -737,7 +737,12 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 				/* null terminate buffer */
 				smart_str_appendc(&eval_buf, '\0');
 				/* do eval */
-				zend_eval_string(eval_buf.c, &v, description TSRMLS_CC);
+				if (zend_eval_string(eval_buf.c, &v, description TSRMLS_CC) == FAILURE) {
+					efree(description);
+					php_error_docref(NULL TSRMLS_CC,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, eval_buf.c);
+					/* zend_error() does not return in this case */
+				}
+
 				/* result of eval */
 				convert_to_string(&v);
 				smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v));
diff --git a/ext/mbstring/tests/bug43301.phpt b/ext/mbstring/tests/bug43301.phpt
new file mode 100644
index 0000000000..605da21ccd
--- /dev/null
+++ b/ext/mbstring/tests/bug43301.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #31911 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+
+$ptr = 'hello';
+
+$txt = <<<doc
+hello, I have got a cr*sh on you
+doc;
+
+echo mb_ereg_replace($ptr,'$1',$txt,'e');
+
+?>
+--EXPECTF--
+Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in %s/bug43301.php(%d) : mbregex replace on line 1
+
+Fatal error: mb_ereg_replace(): Failed evaluating code: 
+$1 in %s/bug43301.php on line %d