-
-
Save cmb69/a2be4dd4240bbee11ce4cb801c60d6ab to your computer and use it in GitHub Desktop.
PHP bug #77367
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From e97e9638465859e2a73333da101373db3126495b Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Sat, 29 Dec 2018 14:17:23 +0100 | |
Subject: [PATCH] Fix #77367: Negative size parameter in mb_split | |
When adding the last element to the result value of `mb_split`, the | |
`chunk_pos` may point beyond the end of the string, in which case the | |
unsigned `n` would underflow. Therefore, we check whether this is the | |
case in the first place, and only calculate `n` otherwise. Since `n` | |
is no longer used outside the block, we move its declaration inside. | |
--- | |
ext/mbstring/php_mbregex.c | 5 ++--- | |
ext/mbstring/tests/bug77367.phpt | 21 +++++++++++++++++++++ | |
2 files changed, 23 insertions(+), 3 deletions(-) | |
create mode 100644 ext/mbstring/tests/bug77367.phpt | |
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c | |
index 68922b6966..85219b00e4 100644 | |
--- a/ext/mbstring/php_mbregex.c | |
+++ b/ext/mbstring/php_mbregex.c | |
@@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split) | |
size_t string_len; | |
int err; | |
- size_t n; | |
zend_long count = -1; | |
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) { | |
@@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split) | |
} | |
/* otherwise we just have one last element to add to the array */ | |
- n = ((OnigUChar *)(string + string_len) - chunk_pos); | |
- if (n > 0) { | |
+ if ((OnigUChar *)(string + string_len) > chunk_pos) { | |
+ size_t n = ((OnigUChar *)(string + string_len) - chunk_pos); | |
add_next_index_stringl(return_value, (char *)chunk_pos, n); | |
} else { | |
add_next_index_stringl(return_value, "", 0); | |
diff --git a/ext/mbstring/tests/bug77367.phpt b/ext/mbstring/tests/bug77367.phpt | |
new file mode 100644 | |
index 0000000000..0ba76fd23c | |
--- /dev/null | |
+++ b/ext/mbstring/tests/bug77367.phpt | |
@@ -0,0 +1,21 @@ | |
+--TEST-- | |
+Bug #77367 (Negative size parameter in mb_split) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('mbstring')) die('mbstring extension not available'); | |
+if (!function_exists('mb_split')) die('mb_split() not available'); | |
+?> | |
+--FILE-- | |
+<?php | |
+mb_regex_encoding('UTF-8'); | |
+var_dump(mb_split("\\w", "\xfc")); | |
+?> | |
+===DONE=== | |
+--EXPECT-- | |
+array(2) { | |
+ [0]=> | |
+ string(0) "" | |
+ [1]=> | |
+ string(0) "" | |
+} | |
+===DONE=== | |
-- | |
2.17.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment