diff options
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 6 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug72399.phpt | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 457ee2ff08..b49b4e9332 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -459,8 +459,12 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl retval = NULL; goto out; } + if (rc == MBREX(search_re)) { + /* reuse the new rc? see bug #72399 */ + MBREX(search_re) = NULL; + } zend_hash_str_update_ptr(&MBREX(ht_rc), (char *)pattern, patlen, retval); - } else if (rc) { + } else { retval = rc; } out: diff --git a/ext/mbstring/tests/bug72399.phpt b/ext/mbstring/tests/bug72399.phpt new file mode 100644 index 0000000000..ba6ffb2cb1 --- /dev/null +++ b/ext/mbstring/tests/bug72399.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #72399 (Use-After-Free in MBString (search_re)) +--FILE-- +<?php +$var5 = mbereg_search_init("","2"); +$var6 = mb_eregi_replace("2","",""); +$var13 = mbereg_search_pos(); +?> +--EXPECTF-- +Warning: mbereg_search_pos(): No regex given in %sbug72399.php on line %d |