diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/mbstring/php_mbregex.c | 18 | ||||
-rw-r--r-- | ext/mbstring/tests/bug72164.phpt | 14 |
3 files changed, 29 insertions, 6 deletions
@@ -27,6 +27,9 @@ PHP NEWS . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode). (Laruence) +- Mbstring: + . Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace). (Laruence) + - OCI8: . Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight columns). (Tian Yang) diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 1bd26d7334..73c94da5e9 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -935,12 +935,20 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp if (eval) { zval v; + zend_string *eval_str; /* null terminate buffer */ smart_str_0(&eval_buf); + + if (eval_buf.s) { + eval_str = eval_buf.s; + } else { + eval_str = ZSTR_EMPTY_ALLOC(); + } + /* do eval */ - if (zend_eval_stringl(ZSTR_VAL(eval_buf.s), ZSTR_LEN(eval_buf.s), &v, description) == FAILURE) { + if (zend_eval_stringl(ZSTR_VAL(eval_str), ZSTR_LEN(eval_str), &v, description) == FAILURE) { efree(description); - php_error_docref(NULL,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, ZSTR_VAL(eval_buf.s)); + php_error_docref(NULL,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, ZSTR_VAL(eval_str)); /* zend_error() does not return in this case */ } @@ -948,7 +956,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp convert_to_string(&v); smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v)); /* Clean up */ - ZSTR_LEN(eval_buf.s) = 0; + smart_str_free(&eval_buf); zval_dtor(&v); } else if (is_callable) { zval args[1]; @@ -971,9 +979,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp !Z_ISUNDEF(retval)) { convert_to_string_ex(&retval); smart_str_appendl(&out_buf, Z_STRVAL(retval), Z_STRLEN(retval)); - if (eval_buf.s) { - ZSTR_LEN(eval_buf.s) = 0; - } + smart_str_free(&eval_buf); zval_ptr_dtor(&retval); } else { efree(description); diff --git a/ext/mbstring/tests/bug72164.phpt b/ext/mbstring/tests/bug72164.phpt new file mode 100644 index 0000000000..bd58f7e5a5 --- /dev/null +++ b/ext/mbstring/tests/bug72164.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #72164 (Null Pointer Dereference - mb_ereg_replace) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +$var0 = "e"; +$var2 = ""; +$var3 = NULL; +$var8 = mbereg_replace($var2,$var3,$var3,$var0); +var_dump($var8); +?> +--EXPECT-- +string(0) "" |