Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
commit d949cca738a67419c7d73f032ffe81ca6b77d803
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Dec 29 20:06:08 2018 -0800
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
index 995e1d8861..4469f33a56 100644
--- a/ext/mbstring/oniguruma/regcomp.c
+++ b/ext/mbstring/oniguruma/regcomp.c
@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
for (; p < end; ) {
len = enclen(enc, p);
+ if (p + len > end) len = end - p;
if (len == prev_len) {
slen++;
}
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
new file mode 100644
index 0000000000..f23445bd09
--- /dev/null
+++ b/ext/mbstring/tests/bug77371.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
+?>
+--EXPECT--
+bool(false)
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.