Skip to content

Instantly share code, notes, and snippets.

@cmb69 cmb69/.patch Secret
Created Dec 29, 2018

Embed
What would you like to do?
PHP bug #77367
From e97e9638465859e2a73333da101373db3126495b Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 29 Dec 2018 14:17:23 +0100
Subject: [PATCH] Fix #77367: Negative size parameter in mb_split
When adding the last element to the result value of `mb_split`, the
`chunk_pos` may point beyond the end of the string, in which case the
unsigned `n` would underflow. Therefore, we check whether this is the
case in the first place, and only calculate `n` otherwise. Since `n`
is no longer used outside the block, we move its declaration inside.
---
ext/mbstring/php_mbregex.c | 5 ++---
ext/mbstring/tests/bug77367.phpt | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
create mode 100644 ext/mbstring/tests/bug77367.phpt
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 68922b6966..85219b00e4 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split)
size_t string_len;
int err;
- size_t n;
zend_long count = -1;
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
@@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split)
}
/* otherwise we just have one last element to add to the array */
- n = ((OnigUChar *)(string + string_len) - chunk_pos);
- if (n > 0) {
+ if ((OnigUChar *)(string + string_len) > chunk_pos) {
+ size_t n = ((OnigUChar *)(string + string_len) - chunk_pos);
add_next_index_stringl(return_value, (char *)chunk_pos, n);
} else {
add_next_index_stringl(return_value, "", 0);
diff --git a/ext/mbstring/tests/bug77367.phpt b/ext/mbstring/tests/bug77367.phpt
new file mode 100644
index 0000000000..0ba76fd23c
--- /dev/null
+++ b/ext/mbstring/tests/bug77367.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #77367 (Negative size parameter in mb_split)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('mbstring extension not available');
+if (!function_exists('mb_split')) die('mb_split() not available');
+?>
+--FILE--
+<?php
+mb_regex_encoding('UTF-8');
+var_dump(mb_split("\\w", "\xfc"));
+?>
+===DONE===
+--EXPECT--
+array(2) {
+ [0]=>
+ string(0) ""
+ [1]=>
+ string(0) ""
+}
+===DONE===
--
2.17.0.windows.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.