Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace)

2024-09-22 02:17:32 +00:00 · 2016-05-05 17:27:34 +08:00 · 2016-05-05 17:27:34 +08:00 · 395863b1d1
commit 395863b1d1
parent c15b6134f6
3 changed files with 29 additions and 6 deletions
--- a/3
+++ b/3
@ -27,6 +27,9 @@ PHP                                                                        NEWS
  . Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
    (Laruence)

+- Mbstring:
+  . Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace). (Laruence)
+
 - OCI8:
  . Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight
    columns). (Tian Yang)
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@ -935,12 +935,20 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp

 			if (eval) {
 				zval v;
+				zend_string *eval_str;
 				/* null terminate buffer */
 				smart_str_0(&eval_buf);
+
+				if (eval_buf.s) {
+					eval_str = eval_buf.s;
+				} else {
+					eval_str = ZSTR_EMPTY_ALLOC();
+				}
+
 				/* do eval */
-				if (zend_eval_stringl(ZSTR_VAL(eval_buf.s), ZSTR_LEN(eval_buf.s), &v, description) == FAILURE) {
+				if (zend_eval_stringl(ZSTR_VAL(eval_str), ZSTR_LEN(eval_str), &v, description) == FAILURE) {
 					efree(description);
-					php_error_docref(NULL,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, ZSTR_VAL(eval_buf.s));
+					php_error_docref(NULL,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, ZSTR_VAL(eval_str));
 					/* zend_error() does not return in this case */
 				}

@ -948,7 +956,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 				convert_to_string(&v);
 				smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v));
 				/* Clean up */
-				ZSTR_LEN(eval_buf.s) = 0;
+				smart_str_free(&eval_buf);
 				zval_dtor(&v);
 			} else if (is_callable) {
 				zval args[1];
@ -971,9 +979,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 						!Z_ISUNDEF(retval)) {
 					convert_to_string_ex(&retval);
 					smart_str_appendl(&out_buf, Z_STRVAL(retval), Z_STRLEN(retval));
-					if (eval_buf.s) {
-						ZSTR_LEN(eval_buf.s) = 0;
-					}
+					smart_str_free(&eval_buf);
 					zval_ptr_dtor(&retval);
 				} else {
 					efree(description);
--- a/ext/mbstring/tests/bug72164.phpt
+++ b/ext/mbstring/tests/bug72164.phpt
@ -0,0 +1,14 @@
+--TEST--
+Bug #72164 (Null Pointer Dereference - mb_ereg_replace)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+$var0 = "e";
+$var2 = "";
+$var3 = NULL;
+$var8 = mbereg_replace($var2,$var3,$var3,$var0);
+var_dump($var8);
+?>
+--EXPECT--
+string(0) ""