Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)

smalyshev · smalyshev · commit c6e34d91b886 · 2019-01-06T11:38:46.000-08:00
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
 
   for (; p < end; ) {
     len = enclen(enc, p);
+    if (p + len > end) len = end - p;
     if (len == prev_len) {
       slen++;
     }
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
+?>
+--EXPECT--
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)`
`524`	`524`
`525`	`525`	`for (; p < end; ) {`
`526`	`526`	`len = enclen(enc, p);`
	`527`	`+ if (p + len > end) len = end - p;`
`527`	`528`	`if (len == prev_len) {`
`528`	`529`	`slen++;`
`529`	`530`	`}`