From 882f97042b55d8f7d3c50f453c56b984334247f2 Mon Sep 17 00:00:00 2001 From: Francois Laupretre Date: Mon, 4 Jan 2016 16:31:52 +0100 Subject: mb_ereg_search_setpos(): Add support for negative position Also add missing test for this function --- ext/mbstring/php_mbregex.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'ext/mbstring/php_mbregex.c') diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 1bd26d7334..6a9ab193af 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -1400,6 +1400,11 @@ PHP_FUNCTION(mb_ereg_search_setpos) return; } + /* Accept negative position if length of search string can be determined */ + if ((position < 0) && (!Z_ISUNDEF(MBREX(search_str))) && (Z_TYPE(MBREX(search_str)) == IS_STRING)) { + position += Z_STRLEN(MBREX(search_str)); + } + if (position < 0 || (!Z_ISUNDEF(MBREX(search_str)) && Z_TYPE(MBREX(search_str)) == IS_STRING && (size_t)position >= Z_STRLEN(MBREX(search_str)))) { php_error_docref(NULL, E_WARNING, "Position is out of range"); MBREX(search_pos) = 0; -- cgit v1.2.1 From 3d5641872239cbd4ec8855b05c90f94fb0d11d7e Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Mon, 13 Jun 2016 18:20:26 -0700 Subject: Fixed bug #72399 (Use-After-Free in MBString (search_re)) --- ext/mbstring/php_mbregex.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'ext/mbstring/php_mbregex.c') diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 73c94da5e9..c1f9fc2560 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -459,8 +459,12 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl retval = NULL; goto out; } + if (rc == MBREX(search_re)) { + /* reuse the new rc? see bug #72399 */ + MBREX(search_re) = NULL; + } zend_hash_str_update_ptr(&MBREX(ht_rc), (char *)pattern, patlen, retval); - } else if (rc) { + } else { retval = rc; } out: -- cgit v1.2.1 From 999a3553d58c537b4919821855b2cc8fb62b0b2f Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Wed, 15 Jun 2016 14:54:57 +0800 Subject: Fixed(attempt to) bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access) according to ext/mbstring/oniguruma/enc/utf8.c, max bytes are 6 --- ext/mbstring/php_mbregex.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'ext/mbstring/php_mbregex.c') diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index c1f9fc2560..2337926740 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp OnigUChar *pos; OnigUChar *string_lim; char *description = NULL; - char pat_buf[4]; + char pat_buf[6]; const mbfl_encoding *enc; @@ -864,6 +864,8 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp pat_buf[1] = '\0'; pat_buf[2] = '\0'; pat_buf[3] = '\0'; + pat_buf[4] = '\0'; + pat_buf[5] = '\0'; arg_pattern = pat_buf; arg_pattern_len = 1; -- cgit v1.2.1