Created
December 30, 2018 03:54
-
-
Save smalyshev/4902bc13d34390d0068163d5d8fd64f7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 0839641503bc381d64347081b4308dd7335a26b5 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Dec 29 19:51:24 2018 -0800 | |
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes | |
diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c | |
index d2925f1e81..252ca18712 100644 | |
--- a/ext/mbstring/oniguruma/regparse.c | |
+++ b/ext/mbstring/oniguruma/regparse.c | |
@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) | |
} | |
#endif | |
+#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) | |
+# define UNEXPECTED(condition) __builtin_expect(condition, 0) | |
+#else | |
+# define UNEXPECTED(condition) (condition) | |
+#endif | |
+ | |
/* scan pattern methods */ | |
#define PEND_VALUE 0 | |
@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) | |
c = ONIGENC_MBC_TO_CODE(enc, p, end); \ | |
pfetch_prev = p; \ | |
p += ONIGENC_MBC_ENC_LEN(enc, p); \ | |
+ if(UNEXPECTED(p > end)) p = end; \ | |
} while (0) | |
#define PINC_S do { \ | |
p += ONIGENC_MBC_ENC_LEN(enc, p); \ | |
+ if(UNEXPECTED(p > end)) p = end; \ | |
} while (0) | |
#define PFETCH_S(c) do { \ | |
c = ONIGENC_MBC_TO_CODE(enc, p, end); \ | |
p += ONIGENC_MBC_ENC_LEN(enc, p); \ | |
+ if(UNEXPECTED(p > end)) p = end; \ | |
} while (0) | |
#define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) | |
diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt | |
new file mode 100644 | |
index 0000000000..c4d25582fe | |
--- /dev/null | |
+++ b/ext/mbstring/tests/bug77370.phpt | |
@@ -0,0 +1,13 @@ | |
+--TEST-- | |
+Bug #77370 (Buffer overflow on mb regex functions - fetch_token) | |
+--SKIPIF-- | |
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> | |
+--FILE-- | |
+<?php | |
+var_dump(mb_split(" \xfd","")); | |
+?> | |
+--EXPECT-- | |
+array(1) { | |
+ [0]=> | |
+ string(0) "" | |
+} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment