-
-
Save anonymous/9ecb704363f2df6b5e256a9ab3557257 to your computer and use it in GitHub Desktop.
Patch for 72402
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 5b597a2e5b28e2d5a52fc1be13f425f08f47cb62 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Jun 18 21:48:39 2016 -0700 | |
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free | |
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c | |
index d73c848..6cdee23 100644 | |
--- a/ext/mbstring/php_mbregex.c | |
+++ b/ext/mbstring/php_mbregex.c | |
@@ -953,7 +953,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp | |
eval_buf.len = 0; | |
zval_dtor(&v); | |
} else if (is_callable) { | |
- zval *retval_ptr; | |
+ zval *retval_ptr = NULL; | |
zval **args[1]; | |
zval *subpats; | |
int i; | |
@@ -972,13 +972,12 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp | |
arg_replace_fci.param_count = 1; | |
arg_replace_fci.params = args; | |
arg_replace_fci.retval_ptr_ptr = &retval_ptr; | |
- if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) { | |
+ if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) { | |
convert_to_string_ex(&retval_ptr); | |
smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr)); | |
eval_buf.len = 0; | |
zval_ptr_dtor(&retval_ptr); | |
} else { | |
- efree(description); | |
if (!EG(exception)) { | |
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function"); | |
} | |
diff --git a/ext/mbstring/tests/bug72402.phpt b/ext/mbstring/tests/bug72402.phpt | |
new file mode 100644 | |
index 0000000..abb290b | |
--- /dev/null | |
+++ b/ext/mbstring/tests/bug72402.phpt | |
@@ -0,0 +1,17 @@ | |
+--TEST-- | |
+Bug #72402: _php_mb_regex_ereg_replace_exec - double free | |
+--SKIPIF-- | |
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> | |
+--FILE-- | |
+<?php | |
+function throwit() { | |
+ throw new Exception('it'); | |
+} | |
+$var10 = "throwit"; | |
+try { | |
+ $var14 = mb_ereg_replace_callback("", $var10, ""); | |
+} catch(Exception $e) {} | |
+?> | |
+DONE | |
+--EXPECT-- | |
+DONE | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment