summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ext/mbstring/oniguruma/regcomp.c1
-rw-r--r--ext/mbstring/tests/bug77371.phpt10
2 files changed, 11 insertions, 0 deletions
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
index b93ca948a7..c72d65d694 100644
--- a/ext/mbstring/oniguruma/regcomp.c
+++ b/ext/mbstring/oniguruma/regcomp.c
@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
for (; p < end; ) {
len = enclen(enc, p);
+ if (p + len > end) len = end - p;
if (len == prev_len) {
slen++;
}
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
new file mode 100644
index 0000000000..f23445bd09
--- /dev/null
+++ b/ext/mbstring/tests/bug77371.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
+?>
+--EXPECT--
+bool(false) \ No newline at end of file
View Lorry Controller Status