Merge branch 'PHP-7.0'

author: Xinchen Hui <laruence@gmail.com> 2016-06-13 18:20:37 -0700
committer: Xinchen Hui <laruence@gmail.com> 2016-06-13 18:20:37 -0700
commit: 14e790a0753dce4dfaeff1b2d8f9800b519917c1 (patch)
tree: 841db98cc545ad989618166d969c19bef315cb47
parent: 78a13e8290a694c6857e0a67f265127f388065d0 (diff)
parent: 3d5641872239cbd4ec8855b05c90f94fb0d11d7e (diff)
download: php-git-14e790a0753dce4dfaeff1b2d8f9800b519917c1.tar.gz
2 files changed, 15 insertions, 1 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 457ee2ff08..b49b4e9332 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -459,8 +459,12 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 			retval = NULL;
 			goto out;
 		}
+		if (rc == MBREX(search_re)) {
+			/* reuse the new rc? see bug #72399 */
+			MBREX(search_re) = NULL;
+		}
 		zend_hash_str_update_ptr(&MBREX(ht_rc), (char *)pattern, patlen, retval);
-	} else if (rc) {
+	} else {
 		retval = rc;
 	}
 out:
diff --git a/ext/mbstring/tests/bug72399.phpt b/ext/mbstring/tests/bug72399.phpt
new file mode 100644
index 0000000000..ba6ffb2cb1
--- /dev/null
+++ b/ext/mbstring/tests/bug72399.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #72399 (Use-After-Free in MBString (search_re))
+--FILE--
+<?php
+$var5 = mbereg_search_init("","2");
+$var6 = mb_eregi_replace("2","","");
+$var13 = mbereg_search_pos();
+?>
+--EXPECTF--
+Warning: mbereg_search_pos(): No regex given in %sbug72399.php on line %d
author	Xinchen Hui <laruence@gmail.com>	2016-06-13 18:20:37 -0700
committer	Xinchen Hui <laruence@gmail.com>	2016-06-13 18:20:37 -0700
commit	14e790a0753dce4dfaeff1b2d8f9800b519917c1 (patch)
tree	841db98cc545ad989618166d969c19bef315cb47
parent	78a13e8290a694c6857e0a67f265127f388065d0 (diff)
parent	3d5641872239cbd4ec8855b05c90f94fb0d11d7e (diff)
download	php-git-14e790a0753dce4dfaeff1b2d8f9800b519917c1.tar.gz