diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2019-02-11 12:31:59 +0100 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-02-11 12:31:59 +0100 |
commit | f5d2a3046656ee51cfe8b2b450230e20a7e019a1 (patch) | |
tree | 68e1306cf4503022f46833bef4574ecb0742b543 | |
parent | 2e594265b8a71306c9c832f2e8f4a0b0feea9408 (diff) | |
download | php-git-f5d2a3046656ee51cfe8b2b450230e20a7e019a1.tar.gz |
Validate subject encoding in mb_split and mb_ereg_match
We were already validating the subject encoding in most functions,
but not these two.
-rw-r--r-- | ext/mbstring/php_mbregex.c | 10 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77367.phpt | 9 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77418.phpt | 7 |
3 files changed, 13 insertions, 13 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index dbe48b2542..64b932a3c2 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -1259,6 +1259,11 @@ PHP_FUNCTION(mb_split) count--; } + if (!php_mb_check_encoding(string, string_len, + _php_mb_regex_mbctype2name(MBREX(current_mbctype)))) { + RETURN_FALSE; + } + /* create regex pattern buffer */ if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, MBREX(regex_default_options), MBREX(current_mbctype), MBREX(regex_default_syntax))) == NULL) { RETURN_FALSE; @@ -1348,6 +1353,11 @@ PHP_FUNCTION(mb_ereg_match) } } + if (!php_mb_check_encoding(string, string_len, + _php_mb_regex_mbctype2name(MBREX(current_mbctype)))) { + RETURN_FALSE; + } + if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, option, MBREX(current_mbctype), syntax)) == NULL) { RETURN_FALSE; } diff --git a/ext/mbstring/tests/bug77367.phpt b/ext/mbstring/tests/bug77367.phpt index 0ba76fd23c..3b3e9d5c7c 100644 --- a/ext/mbstring/tests/bug77367.phpt +++ b/ext/mbstring/tests/bug77367.phpt @@ -10,12 +10,5 @@ if (!function_exists('mb_split')) die('mb_split() not available'); mb_regex_encoding('UTF-8'); var_dump(mb_split("\\w", "\xfc")); ?> -===DONE=== --EXPECT-- -array(2) { - [0]=> - string(0) "" - [1]=> - string(0) "" -} -===DONE=== +bool(false) diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt index b4acc45c21..32577bc98c 100644 --- a/ext/mbstring/tests/bug77418.phpt +++ b/ext/mbstring/tests/bug77418.phpt @@ -1,5 +1,5 @@ --TEST-- -Bug #77371 (Heap overflow in utf32be_mbc_to_code) +Bug #77418 (Heap overflow in utf32be_mbc_to_code) --SKIPIF-- <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> --FILE-- @@ -8,7 +8,4 @@ mb_regex_encoding("UTF-32"); var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000")); ?> --EXPECT-- -array(1) { - [0]=> - string(30) "000000000000000000000000000000" -} +bool(false) |