From 882f97042b55d8f7d3c50f453c56b984334247f2 Mon Sep 17 00:00:00 2001
From: Francois Laupretre <francois@tekwire.net>
Date: Mon, 4 Jan 2016 16:31:52 +0100
Subject: mb_ereg_search_setpos(): Add support for negative position

Also add missing test for this function
---
 ext/mbstring/php_mbregex.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'ext/mbstring/php_mbregex.c')

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 1bd26d7334..6a9ab193af 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1400,6 +1400,11 @@ PHP_FUNCTION(mb_ereg_search_setpos)
 		return;
 	}
 
+	/* Accept negative position if length of search string can be determined */
+	if ((position < 0) && (!Z_ISUNDEF(MBREX(search_str))) && (Z_TYPE(MBREX(search_str)) == IS_STRING)) {
+		position += Z_STRLEN(MBREX(search_str));
+	}
+		
 	if (position < 0 || (!Z_ISUNDEF(MBREX(search_str)) && Z_TYPE(MBREX(search_str)) == IS_STRING && (size_t)position >= Z_STRLEN(MBREX(search_str)))) {
 		php_error_docref(NULL, E_WARNING, "Position is out of range");
 		MBREX(search_pos) = 0;
-- 
cgit v1.2.1


From 395863b1d1798100b51c4c8be6e88d574e1a1bf1 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Thu, 5 May 2016 17:27:34 +0800
Subject: Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)

---
 ext/mbstring/php_mbregex.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'ext/mbstring/php_mbregex.c')

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 1bd26d7334..73c94da5e9 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -935,12 +935,20 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 
 			if (eval) {
 				zval v;
+				zend_string *eval_str;
 				/* null terminate buffer */
 				smart_str_0(&eval_buf);
+
+				if (eval_buf.s) {
+					eval_str = eval_buf.s;
+				} else {
+					eval_str = ZSTR_EMPTY_ALLOC();
+				}
+
 				/* do eval */
-				if (zend_eval_stringl(ZSTR_VAL(eval_buf.s), ZSTR_LEN(eval_buf.s), &v, description) == FAILURE) {
+				if (zend_eval_stringl(ZSTR_VAL(eval_str), ZSTR_LEN(eval_str), &v, description) == FAILURE) {
 					efree(description);
-					php_error_docref(NULL,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, ZSTR_VAL(eval_buf.s));
+					php_error_docref(NULL,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, ZSTR_VAL(eval_str));
 					/* zend_error() does not return in this case */
 				}
 
@@ -948,7 +956,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 				convert_to_string(&v);
 				smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v));
 				/* Clean up */
-				ZSTR_LEN(eval_buf.s) = 0;
+				smart_str_free(&eval_buf);
 				zval_dtor(&v);
 			} else if (is_callable) {
 				zval args[1];
@@ -971,9 +979,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 						!Z_ISUNDEF(retval)) {
 					convert_to_string_ex(&retval);
 					smart_str_appendl(&out_buf, Z_STRVAL(retval), Z_STRLEN(retval));
-					if (eval_buf.s) {
-						ZSTR_LEN(eval_buf.s) = 0;
-					}
+					smart_str_free(&eval_buf);
 					zval_ptr_dtor(&retval);
 				} else {
 					efree(description);
-- 
cgit v1.2.1


From 3d5641872239cbd4ec8855b05c90f94fb0d11d7e Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Mon, 13 Jun 2016 18:20:26 -0700
Subject: Fixed bug #72399 (Use-After-Free in MBString (search_re))

---
 ext/mbstring/php_mbregex.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'ext/mbstring/php_mbregex.c')

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 73c94da5e9..c1f9fc2560 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -459,8 +459,12 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 			retval = NULL;
 			goto out;
 		}
+		if (rc == MBREX(search_re)) {
+			/* reuse the new rc? see bug #72399 */
+			MBREX(search_re) = NULL;
+		}
 		zend_hash_str_update_ptr(&MBREX(ht_rc), (char *)pattern, patlen, retval);
-	} else if (rc) {
+	} else {
 		retval = rc;
 	}
 out:
-- 
cgit v1.2.1


From 999a3553d58c537b4919821855b2cc8fb62b0b2f Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Wed, 15 Jun 2016 14:54:57 +0800
Subject: Fixed(attempt to) bug #72405 (mb_ereg_replace - mbc_to_code
 (oniguruma) - oob read access)

according to ext/mbstring/oniguruma/enc/utf8.c, max bytes are 6
---
 ext/mbstring/php_mbregex.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ext/mbstring/php_mbregex.c')

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index c1f9fc2560..2337926740 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 	OnigUChar *pos;
 	OnigUChar *string_lim;
 	char *description = NULL;
-	char pat_buf[4];
+	char pat_buf[6];
 
 	const mbfl_encoding *enc;
 
@@ -864,6 +864,8 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 		pat_buf[1] = '\0';
 		pat_buf[2] = '\0';
 		pat_buf[3] = '\0';
+		pat_buf[4] = '\0';
+		pat_buf[5] = '\0';
 
 		arg_pattern = pat_buf;
 		arg_pattern_len = 1;
-- 
cgit v1.2.1