diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-09-20 19:02:22 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-09-24 10:04:07 +0200 |
| commit | 90a77d87d4b63db29b1051a784e91e7d368a07e1 (patch) | |
| tree | 06996733ad372c6d34af4cec1e574263dff5cd4b | |
| parent | f4b9ad36240acc38daba403723e9d4ec179b2364 (diff) | |
| download | php-git-90a77d87d4b63db29b1051a784e91e7d368a07e1.tar.gz | |
Fix #78559: Heap buffer overflow in mb_eregi
We backport kkos/oniguruma@d3e402928b6eb3327f8f7d59a9edfa622fec557b.
(cherry picked from commit 8f949eba8083e34d181c30bcf11aaeef2496bb97)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/src/regexec.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug78559.phpt | 15 |
3 files changed, 19 insertions, 0 deletions
@@ -23,6 +23,9 @@ PHP NEWS . Ensure IDNA2003 rules are used with idn_to_ascii() and idn_to_utf8() when requested. (Sara) +- MBString: + . Fixed bug #78559 (Heap buffer overflow in mb_eregi). (cmb) + - MySQLnd: . Fixed connect_attr issues and added the _server_host connection attribute. (Qianqian Bu) diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c index f957b75923..32c750b1f1 100644 --- a/ext/mbstring/oniguruma/src/regexec.c +++ b/ext/mbstring/oniguruma/src/regexec.c @@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag, lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf); q = lowbuf; while (lowlen > 0) { + if (t >= tend) return 0; if (*t++ != *q++) return 0; lowlen--; } diff --git a/ext/mbstring/tests/bug78559.phpt b/ext/mbstring/tests/bug78559.phpt new file mode 100644 index 0000000000..afe412c141 --- /dev/null +++ b/ext/mbstring/tests/bug78559.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #78559 (#78559 Heap buffer overflow in mb_eregi) +--SKIPIF-- +<?php +if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); +if (!function_exists('mb_ereg')) die('skip mb_ereg() not available'); +?> +--FILE-- +<?php +$str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01"; +$str = hex2bin($str); +var_dump(mb_eregi($str, $str)); +?> +--EXPECT-- +bool(false) |