diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 4 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug77428.phpt | 14 |
3 files changed, 19 insertions, 1 deletions
@@ -35,6 +35,8 @@ PHP NEWS . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) + . Fixed bug #77428 (mb_ereg_replace() doesn't replace a substitution + variable). (Nikita) - MySQLnd: . Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 85219b00e4..cc96e04f39 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -791,7 +791,9 @@ static inline void mb_regex_substitute( no = onig_name_to_backref_number(regexp, (OnigUChar *)name, (OnigUChar *)name_end, regs); break; default: - p += clen; + /* We're not treating \ as an escape character and will interpret something like + * \\1 as \ followed by \1, rather than \\ followed by 1. This is because this + * function has not supported escaping of backslashes historically. */ smart_str_appendl(pbuf, sp, p - sp); continue; } diff --git a/ext/mbstring/tests/bug77428.phpt b/ext/mbstring/tests/bug77428.phpt new file mode 100644 index 0000000000..f153412acb --- /dev/null +++ b/ext/mbstring/tests/bug77428.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #77428: mb_ereg_replace() doesn't replace a substitution variable +--FILE-- +<?php + +// This behavior is broken, but kept for BC reasons +var_dump(mb_ereg_replace('(%)', '\\\1', 'a%c')); +// For clarify, the above line is equivalent to: +var_dump(mb_ereg_replace('(%)', '\\\\1', 'a%c')); + +?> +--EXPECT-- +string(4) "a\%c" +string(4) "a\%c" |