diff options
-rw-r--r-- | ext/mbstring/oniguruma/regcomp.c | 1 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77371.phpt | 10 |
2 files changed, 11 insertions, 0 deletions
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c index b93ca948a7..c72d65d694 100644 --- a/ext/mbstring/oniguruma/regcomp.c +++ b/ext/mbstring/oniguruma/regcomp.c @@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg) for (; p < end; ) { len = enclen(enc, p); + if (p + len > end) len = end - p; if (len == prev_len) { slen++; } diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt new file mode 100644 index 0000000000..f23445bd09 --- /dev/null +++ b/ext/mbstring/tests/bug77371.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) +?> +--EXPECT-- +bool(false)
\ No newline at end of file |