diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-10-04 19:02:37 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-10-20 22:47:38 -0700 |
commit | 4f50d58caba8286b5c533f6925b2ec320dd0742e (patch) | |
tree | 7ad7dbae9f4aa084b0781b83b976ea03ec5b7e89 | |
parent | ce035dc4a0732c090741c85f179f36a4b4b6b92d (diff) | |
download | php-git-4f50d58caba8286b5c533f6925b2ec320dd0742e.tar.gz |
Fix #78633: Heap buffer overflow (read) in mb_eregi
We backport kkos/oniguruma@15c4228aa2ffa02140a99912dd3177df0b1841c6.
-rw-r--r-- | ext/mbstring/oniguruma/src/regcomp.c | 2 | ||||
-rw-r--r-- | ext/mbstring/oniguruma/src/regexec.c | 1 | ||||
-rw-r--r-- | ext/mbstring/tests/bug78633.phpt | 13 |
3 files changed, 15 insertions, 1 deletions
diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c index d1fbd1376e..e91bdec206 100644 --- a/ext/mbstring/oniguruma/src/regcomp.c +++ b/ext/mbstring/oniguruma/src/regcomp.c @@ -724,8 +724,8 @@ add_compile_string(UChar* s, int mb_len, int str_len, COP(reg)->exact_n.s = p; } else { + xmemset(COP(reg)->exact.s, 0, sizeof(COP(reg)->exact.s)); xmemcpy(COP(reg)->exact.s, s, (size_t )byte_len); - COP(reg)->exact.s[byte_len] = '\0'; } return 0; diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c index 32c750b1f1..a4809baf5d 100644 --- a/ext/mbstring/oniguruma/src/regexec.c +++ b/ext/mbstring/oniguruma/src/regexec.c @@ -2900,6 +2900,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, DATA_ENSURE(0); q = lowbuf; while (len-- > 0) { + if (ps >= endp) goto fail; if (*ps != *q) goto fail; ps++; q++; } diff --git a/ext/mbstring/tests/bug78633.phpt b/ext/mbstring/tests/bug78633.phpt new file mode 100644 index 0000000000..3ff69a1867 --- /dev/null +++ b/ext/mbstring/tests/bug78633.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #78633 (Heap buffer overflow (read) in mb_eregi) +--SKIPIF-- +<?php +if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); +if (!function_exists('mb_eregi')) die('skip mb_eregi function not available'); +?> +--FILE-- +<?php +var_dump(mb_eregi(".+IsssĒ°", ".+IsssĒ°")); +?> +--EXPECT-- +bool(false) |