-
-
Save cmb69/7248e5b7d10f3fad6dd38d040371fd83 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 5c97d829180f99af9e0defd7beea2367c32cdd84 Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Fri, 4 Oct 2019 19:02:37 +0200 | |
Subject: [PATCH] Fix #78633: Heap buffer overflow (read) in mb_eregi | |
We backport kkos/oniguruma@15c4228aa2ffa02140a99912dd3177df0b1841c6. | |
--- | |
ext/mbstring/oniguruma/src/regcomp.c | 2 +- | |
ext/mbstring/oniguruma/src/regexec.c | 1 + | |
ext/mbstring/tests/bug78633.phpt | 13 +++++++++++++ | |
3 files changed, 15 insertions(+), 1 deletion(-) | |
create mode 100644 ext/mbstring/tests/bug78633.phpt | |
diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c | |
index d1fbd1376e..e91bdec206 100644 | |
--- a/ext/mbstring/oniguruma/src/regcomp.c | |
+++ b/ext/mbstring/oniguruma/src/regcomp.c | |
@@ -724,8 +724,8 @@ add_compile_string(UChar* s, int mb_len, int str_len, | |
COP(reg)->exact_n.s = p; | |
} | |
else { | |
+ xmemset(COP(reg)->exact.s, 0, sizeof(COP(reg)->exact.s)); | |
xmemcpy(COP(reg)->exact.s, s, (size_t )byte_len); | |
- COP(reg)->exact.s[byte_len] = '\0'; | |
} | |
return 0; | |
diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c | |
index 32c750b1f1..a4809baf5d 100644 | |
--- a/ext/mbstring/oniguruma/src/regexec.c | |
+++ b/ext/mbstring/oniguruma/src/regexec.c | |
@@ -2900,6 +2900,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, | |
DATA_ENSURE(0); | |
q = lowbuf; | |
while (len-- > 0) { | |
+ if (ps >= endp) goto fail; | |
if (*ps != *q) goto fail; | |
ps++; q++; | |
} | |
diff --git a/ext/mbstring/tests/bug78633.phpt b/ext/mbstring/tests/bug78633.phpt | |
new file mode 100644 | |
index 0000000000..3ff69a1867 | |
--- /dev/null | |
+++ b/ext/mbstring/tests/bug78633.phpt | |
@@ -0,0 +1,13 @@ | |
+--TEST-- | |
+Bug #78633 (Heap buffer overflow (read) in mb_eregi) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); | |
+if (!function_exists('mb_eregi')) die('skip mb_eregi function not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+var_dump(mb_eregi(".+Isssǰ", ".+Isssǰ")); | |
+?> | |
+--EXPECT-- | |
+bool(false) | |
-- | |
2.23.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment