mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Fixed bug #73646 (mb_ereg_search_init null pointer dereference)
This commit is contained in:
parent
4faa540b45
commit
6a43c61bcd
4
NEWS
4
NEWS
@ -6,6 +6,10 @@ PHP NEWS
|
|||||||
. Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
|
. Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created
|
||||||
with list()). (Laruence)
|
with list()). (Laruence)
|
||||||
|
|
||||||
|
- Mbstring:
|
||||||
|
. Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
|
||||||
|
(Laruence)
|
||||||
|
|
||||||
- Opcache:
|
- Opcache:
|
||||||
. Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
|
. Fixed bug #73654 (Segmentation fault in zend_call_function). (Nikita)
|
||||||
. Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by
|
. Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by
|
||||||
|
@ -1345,13 +1345,13 @@ PHP_FUNCTION(mb_ereg_search_regs)
|
|||||||
PHP_FUNCTION(mb_ereg_search_init)
|
PHP_FUNCTION(mb_ereg_search_init)
|
||||||
{
|
{
|
||||||
size_t argc = ZEND_NUM_ARGS();
|
size_t argc = ZEND_NUM_ARGS();
|
||||||
zval *arg_str;
|
zend_string *arg_str;
|
||||||
char *arg_pattern = NULL, *arg_options = NULL;
|
char *arg_pattern = NULL, *arg_options = NULL;
|
||||||
size_t arg_pattern_len = 0, arg_options_len = 0;
|
size_t arg_pattern_len = 0, arg_options_len = 0;
|
||||||
OnigSyntaxType *syntax = NULL;
|
OnigSyntaxType *syntax = NULL;
|
||||||
OnigOptionType option;
|
OnigOptionType option;
|
||||||
|
|
||||||
if (zend_parse_parameters(argc, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
|
if (zend_parse_parameters(argc, "S|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1379,17 +1379,17 @@ PHP_FUNCTION(mb_ereg_search_init)
|
|||||||
zval_ptr_dtor(&MBREX(search_str));
|
zval_ptr_dtor(&MBREX(search_str));
|
||||||
}
|
}
|
||||||
|
|
||||||
ZVAL_DUP(&MBREX(search_str), arg_str);
|
ZVAL_STR_COPY(&MBREX(search_str), arg_str);
|
||||||
|
|
||||||
if (php_mb_check_encoding(
|
if (php_mb_check_encoding(
|
||||||
Z_STRVAL_P(arg_str),
|
ZSTR_VAL(arg_str),
|
||||||
Z_STRLEN_P(arg_str),
|
ZSTR_LEN(arg_str),
|
||||||
_php_mb_regex_mbctype2name(MBREX(current_mbctype))
|
_php_mb_regex_mbctype2name(MBREX(current_mbctype))
|
||||||
)) {
|
)) {
|
||||||
MBREX(search_pos) = 0;
|
MBREX(search_pos) = 0;
|
||||||
RETVAL_TRUE;
|
RETVAL_TRUE;
|
||||||
} else {
|
} else {
|
||||||
MBREX(search_pos) = Z_STRLEN_P(arg_str);
|
MBREX(search_pos) = ZSTR_LEN(arg_str);
|
||||||
RETVAL_FALSE;
|
RETVAL_FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
11
ext/mbstring/tests/bug73646.phpt
Normal file
11
ext/mbstring/tests/bug73646.phpt
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--TEST--
|
||||||
|
Bug #73646 (mb_ereg_search_init null pointer dereference)
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
|
||||||
|
$v1=str_repeat("#", -1);
|
||||||
|
var_dump(mb_ereg_search_init($v1));
|
||||||
|
?>
|
||||||
|
--EXPECTF--
|
||||||
|
Warning: str_repeat(): Second argument has to be greater than or equal to 0 in %sbug73646.php on line %d
|
||||||
|
bool(true)
|
Loading…
Reference in New Issue
Block a user