Fixed bug #73646 (mb_ereg_search_init null pointer dereference)

NEWS

@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
     with list()). (Laruence)
 
+- Mbstring:
+  . Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
+    (Laruence)
+
 - Opcache:
   . Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
   . Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by

ext/mbstring/php_mbregex.c

@@ -1345,13 +1345,13 @@ PHP_FUNCTION(mb_ereg_search_regs)
 PHP_FUNCTION(mb_ereg_search_init)
 {
 	size_t argc = ZEND_NUM_ARGS();
-	zval *arg_str;
+	zend_string *arg_str;
 	char *arg_pattern = NULL, *arg_options = NULL;
 	size_t arg_pattern_len = 0, arg_options_len = 0;
 	OnigSyntaxType *syntax = NULL;
 	OnigOptionType option;
 
-	if (zend_parse_parameters(argc, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
+	if (zend_parse_parameters(argc, "S|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
 		return;
 	}
 
@@ -1379,17 +1379,17 @@ PHP_FUNCTION(mb_ereg_search_init)
 		zval_ptr_dtor(&MBREX(search_str));
 	}
 
-	ZVAL_DUP(&MBREX(search_str), arg_str);
+	ZVAL_STR_COPY(&MBREX(search_str), arg_str);
 
 	if (php_mb_check_encoding(
-	Z_STRVAL_P(arg_str),
-	Z_STRLEN_P(arg_str),
+	ZSTR_VAL(arg_str),
+	ZSTR_LEN(arg_str),
 	_php_mb_regex_mbctype2name(MBREX(current_mbctype))
 	)) {
 		MBREX(search_pos) = 0;
 		RETVAL_TRUE;
 	} else {
-		MBREX(search_pos) = Z_STRLEN_P(arg_str);
+		MBREX(search_pos) = ZSTR_LEN(arg_str);
 		RETVAL_FALSE;
 	}
 

ext/mbstring/tests/bug73646.phpt

@@ -0,0 +1,11 @@
+--TEST--
+Bug #73646 (mb_ereg_search_init null pointer dereference)
+--FILE--
+<?php
+
+$v1=str_repeat("#", -1);
+var_dump(mb_ereg_search_init($v1));
+?>
+--EXPECTF--
+Warning: str_repeat(): Second argument has to be greater than or equal to 0 in %sbug73646.php on line %d
+bool(true)