-
-
Save cmb69/6c00045e545c7ca6db3916dd6fc9a44d to your computer and use it in GitHub Desktop.
PHP Bug #78559
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From d1883044498be17ed80e15d3b03182d64383ad4b Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Fri, 20 Sep 2019 19:02:22 +0200 | |
Subject: [PATCH] Fix #78559: Heap buffer overflow in mb_eregi | |
We backport kkos/oniguruma@d3e402928b6eb3327f8f7d59a9edfa622fec557b. | |
--- | |
ext/mbstring/oniguruma/src/regexec.c | 1 + | |
ext/mbstring/tests/bug78559.phpt | 15 +++++++++++++++ | |
2 files changed, 16 insertions(+) | |
create mode 100644 ext/mbstring/tests/bug78559.phpt | |
diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c | |
index f957b75923..32c750b1f1 100644 | |
--- a/ext/mbstring/oniguruma/src/regexec.c | |
+++ b/ext/mbstring/oniguruma/src/regexec.c | |
@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag, | |
lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf); | |
q = lowbuf; | |
while (lowlen > 0) { | |
+ if (t >= tend) return 0; | |
if (*t++ != *q++) return 0; | |
lowlen--; | |
} | |
diff --git a/ext/mbstring/tests/bug78559.phpt b/ext/mbstring/tests/bug78559.phpt | |
new file mode 100644 | |
index 0000000000..afe412c141 | |
--- /dev/null | |
+++ b/ext/mbstring/tests/bug78559.phpt | |
@@ -0,0 +1,15 @@ | |
+--TEST-- | |
+Bug #78559 (#78559 Heap buffer overflow in mb_eregi) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); | |
+if (!function_exists('mb_ereg')) die('skip mb_ereg() not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+$str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01"; | |
+$str = hex2bin($str); | |
+var_dump(mb_eregi($str, $str)); | |
+?> | |
+--EXPECT-- | |
+bool(false) | |
-- | |
2.23.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment