From 0ecac37c40a27ffbd59f34b5920735ee0b7f994c Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 11 Feb 2019 12:31:59 +0100
Subject: Validate subject encoding in mb_split and mb_ereg_match

We were already validating the subject encoding in most functions,
but not these two.
---
 ext/mbstring/php_mbregex.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'ext/mbstring/php_mbregex.c')

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index ab4fe38df2..1b7133c18b 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1114,6 +1114,11 @@ PHP_FUNCTION(mb_split)
 		count--;
 	}
 
+	if (!php_mb_check_encoding(string, string_len,
+			_php_mb_regex_mbctype2name(MBREX(current_mbctype)))) {
+		RETURN_FALSE;
+	}
+
 	/* create regex pattern buffer */
 	if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, MBREX(regex_default_options), MBREX(current_mbctype), MBREX(regex_default_syntax))) == NULL) {
 		RETURN_FALSE;
@@ -1203,6 +1208,11 @@ PHP_FUNCTION(mb_ereg_match)
 		}
 	}
 
+	if (!php_mb_check_encoding(string, string_len,
+			_php_mb_regex_mbctype2name(MBREX(current_mbctype)))) {
+		RETURN_FALSE;
+	}
+
 	if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, option, MBREX(current_mbctype), syntax)) == NULL) {
 		RETURN_FALSE;
 	}
-- 
cgit v1.2.1