Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
commit d949cca738a67419c7d73f032ffe81ca6b77d803
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Dec 29 20:06:08 2018 -0800
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
index 995e1d8861..4469f33a56 100644
--- a/ext/mbstring/oniguruma/regcomp.c
+++ b/ext/mbstring/oniguruma/regcomp.c
@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
for (; p < end; ) {
len = enclen(enc, p);
+ if (p + len > end) len = end - p;
if (len == prev_len) {
slen++;
}
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
new file mode 100644
index 0000000000..f23445bd09
--- /dev/null
+++ b/ext/mbstring/tests/bug77371.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
+?>
+--EXPECT--
+bool(false)
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment