Created
December 30, 2018 04:07
-
-
Save smalyshev/01688aa8e20317ee8c2ebc3cb4dd63b3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit d949cca738a67419c7d73f032ffe81ca6b77d803 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Dec 29 20:06:08 2018 -0800 | |
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) | |
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c | |
index 995e1d8861..4469f33a56 100644 | |
--- a/ext/mbstring/oniguruma/regcomp.c | |
+++ b/ext/mbstring/oniguruma/regcomp.c | |
@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg) | |
for (; p < end; ) { | |
len = enclen(enc, p); | |
+ if (p + len > end) len = end - p; | |
if (len == prev_len) { | |
slen++; | |
} | |
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt | |
new file mode 100644 | |
index 0000000000..f23445bd09 | |
--- /dev/null | |
+++ b/ext/mbstring/tests/bug77371.phpt | |
@@ -0,0 +1,10 @@ | |
+--TEST-- | |
+Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) | |
+--SKIPIF-- | |
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> | |
+--FILE-- | |
+<?php | |
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) | |
+?> | |
+--EXPECT-- | |
+bool(false) | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment