Skip to content

Instantly share code, notes, and snippets.

@cmb69 cmb69/.patch Secret

Created Oct 4, 2019
Embed
What would you like to do?
From 5c97d829180f99af9e0defd7beea2367c32cdd84 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 4 Oct 2019 19:02:37 +0200
Subject: [PATCH] Fix #78633: Heap buffer overflow (read) in mb_eregi
We backport kkos/oniguruma@15c4228aa2ffa02140a99912dd3177df0b1841c6.
---
ext/mbstring/oniguruma/src/regcomp.c | 2 +-
ext/mbstring/oniguruma/src/regexec.c | 1 +
ext/mbstring/tests/bug78633.phpt | 13 +++++++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 ext/mbstring/tests/bug78633.phpt
diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
index d1fbd1376e..e91bdec206 100644
--- a/ext/mbstring/oniguruma/src/regcomp.c
+++ b/ext/mbstring/oniguruma/src/regcomp.c
@@ -724,8 +724,8 @@ add_compile_string(UChar* s, int mb_len, int str_len,
COP(reg)->exact_n.s = p;
}
else {
+ xmemset(COP(reg)->exact.s, 0, sizeof(COP(reg)->exact.s));
xmemcpy(COP(reg)->exact.s, s, (size_t )byte_len);
- COP(reg)->exact.s[byte_len] = '\0';
}
return 0;
diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c
index 32c750b1f1..a4809baf5d 100644
--- a/ext/mbstring/oniguruma/src/regexec.c
+++ b/ext/mbstring/oniguruma/src/regexec.c
@@ -2900,6 +2900,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
DATA_ENSURE(0);
q = lowbuf;
while (len-- > 0) {
+ if (ps >= endp) goto fail;
if (*ps != *q) goto fail;
ps++; q++;
}
diff --git a/ext/mbstring/tests/bug78633.phpt b/ext/mbstring/tests/bug78633.phpt
new file mode 100644
index 0000000000..3ff69a1867
--- /dev/null
+++ b/ext/mbstring/tests/bug78633.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #78633 (Heap buffer overflow (read) in mb_eregi)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+if (!function_exists('mb_eregi')) die('skip mb_eregi function not available');
+?>
+--FILE--
+<?php
+var_dump(mb_eregi(".+Isssǰ", ".+Isssǰ"));
+?>
+--EXPECT--
+bool(false)
--
2.23.0.windows.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.