diff options
| -rw-r--r-- | ext/pcre/php_pcre.c | 8 | ||||
| -rw-r--r-- | ext/pcre/tests/bug73392.phpt | 28 |
2 files changed, 31 insertions, 5 deletions
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 53e122c82b..214904f1b5 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -1523,7 +1523,10 @@ static int preg_replace_impl(zval *return_value, zval *regex, zval *replace, zva RETVAL_STR(result); } else { zend_string_release(result); + RETVAL_NULL(); } + } else { + RETVAL_NULL(); } } @@ -1616,7 +1619,6 @@ static PHP_FUNCTION(preg_replace_callback_array) Z_PARAM_ZVAL_EX(zcount, 0, 1) ZEND_PARSE_PARAMETERS_END(); - ZVAL_UNDEF(&zv); ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pattern), str_idx, replace) { if (str_idx) { ZVAL_STR_COPY(®ex, str_idx); @@ -1645,10 +1647,6 @@ static PHP_FUNCTION(preg_replace_callback_array) zval_ptr_dtor(®ex); - if (Z_ISUNDEF(zv)) { - RETURN_NULL(); - } - ZVAL_COPY_VALUE(return_value, &zv); if (UNEXPECTED(EG(exception))) { diff --git a/ext/pcre/tests/bug73392.phpt b/ext/pcre/tests/bug73392.phpt new file mode 100644 index 0000000000..2b432543b8 --- /dev/null +++ b/ext/pcre/tests/bug73392.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug #73392 (A use-after-free in zend allocator management) +--FILE-- +<?php +class Rep { + public function __invoke() { + return "d"; + } +} +class Foo { + public static function rep($rep) { + return "ok"; + } +} +function b() { + return "b"; +} +var_dump(preg_replace_callback_array( + array( + "/a/" => 'b', "/b/" => function () { return "c"; }, "/c/" => new Rep, "reporting" => array("Foo", "rep"), "a1" => array("Foo", "rep"), + ), 'a')); +?> + +--EXPECTF-- +Warning: preg_replace_callback_array(): Delimiter must not be alphanumeric or backslash in %sbug73392.php on line %d + +Warning: preg_replace_callback_array(): Delimiter must not be alphanumeric or backslash in %sbug73392.php on line %d +NULL |