-
-
Save anonymous/282a748d68c226dbb86ab616d11cfc20 to your computer and use it in GitHub Desktop.
Patch for 73293
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 21452a5401e9c7e34227b9241495f5839cfc3234 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Tue Oct 11 14:14:43 2016 -0700 | |
Fix bug #73284 - heap overflow in php_ereg_replace function | |
diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c | |
index 8eb833a..b645c0f 100644 | |
--- a/ext/ereg/ereg.c | |
+++ b/ext/ereg/ereg.c | |
@@ -409,8 +409,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co | |
*nbuf, /* nbuf is used when we grow the buffer */ | |
*walkbuf; /* used to walk buf when replacing backrefs */ | |
const char *walk; /* used to walk replacement string for backrefs */ | |
- int buf_len; | |
- int pos, tmp, string_len, new_l; | |
+ size_t buf_len, new_l; | |
+ int pos, tmp, string_len; | |
int err, copts = 0; | |
string_len = strlen(string); | |
@@ -434,8 +434,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co | |
/* start with a buffer that is twice the size of the stringo | |
we're doing replacements in */ | |
+ buf = safe_emalloc(string_len, 2, 1); | |
buf_len = 2 * string_len + 1; | |
- buf = safe_emalloc(buf_len, sizeof(char), 0); | |
err = pos = 0; | |
buf[0] = '\0'; | |
@@ -472,8 +472,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co | |
} | |
} | |
if (new_l + 1 > buf_len) { | |
+ nbuf = safe_emalloc(new_l + 1, 2, buf_len); | |
buf_len = 1 + buf_len + 2 * new_l; | |
- nbuf = emalloc(buf_len); | |
strncpy(nbuf, buf, buf_len - 1); | |
nbuf[buf_len - 1] = '\0'; | |
efree(buf); | |
@@ -510,8 +510,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co | |
} | |
new_l = strlen (buf) + 1; | |
if (new_l + 1 > buf_len) { | |
+ nbuf = safe_emalloc(new_l + 1, 2, buf_len); | |
buf_len = 1 + buf_len + 2 * new_l; | |
- nbuf = safe_emalloc(buf_len, sizeof(char), 0); | |
strncpy(nbuf, buf, buf_len-1); | |
efree(buf); | |
buf = nbuf; | |
@@ -526,7 +526,7 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co | |
new_l = strlen(buf) + strlen(&string[pos]); | |
if (new_l + 1 > buf_len) { | |
buf_len = new_l + 1; /* now we know exactly how long it is */ | |
- nbuf = safe_emalloc(buf_len, sizeof(char), 0); | |
+ nbuf = safe_emalloc(new_l, 1, 1); | |
strncpy(nbuf, buf, buf_len-1); | |
efree(buf); | |
buf = nbuf; | |
@@ -598,7 +598,7 @@ static void php_do_ereg_replace(INTERNAL_FUNCTION_PARAMETERS, int icase) | |
if (ret == (char *) -1) { | |
RETVAL_FALSE; | |
} else { | |
- RETVAL_STRING(ret, 1); | |
+ RETVAL_STRINGL_CHECK(ret, strlen(ret), 1); | |
STR_FREE(ret); | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment