php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-21 15:08:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-7.4'

Browse Source 
* PHP-7.4:
  Fixed bug #79188
This commit is contained in:
Nikita Popov
2020-02-05 11:21:34 +01:00
parent b3f17ea5d5 e30f52b919
commit 065224190d
2 changed files with 29 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ext/pcre/php_pcre.c
+16 -18
View File
@@ -1561,6 +1561,7 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
size_t match_len; /* Length of the current match */
int backref; /* Backreference number */
PCRE2_SIZE start_offset; /* Where the new search starts */
size_t last_end_offset; /* Where the last search ended */
char *walkbuf, /* Location of current replacement in the result */
*walk, /* Used to walk the replacement string */
*match, /* The current match */
@@ -1579,6 +1580,7 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
/* Initialize */
match = NULL;
start_offset = 0;
last_end_offset = 0;
result_len = 0;
PCRE_G(error_code) = PHP_PCRE_NO_ERROR;
@@ -1605,7 +1607,7 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
options, match_data, mctx);
while (1) {
piece = subject + start_offset;
piece = subject + last_end_offset;
if (count >= 0 && limit > 0) {
zend_bool simple_string;
@@ -1635,7 +1637,7 @@ matched:
/* Set the match location in subject */
match = subject + offsets[0];
new_len = result_len + offsets[0] - start_offset; /* part before the match */
new_len = result_len + offsets[0] - last_end_offset; /* part before the match */
walk = ZSTR_VAL(replace_str);
replace_end = walk + ZSTR_LEN(replace_str);
@@ -1712,7 +1714,7 @@ matched:
limit--;
/* Advance to the next piece. */
start_offset = offsets[1];
start_offset = last_end_offset = offsets[1];
/* If we have matched an empty string, mimic what Perl's /g options does.
This turns out to be rather cunning. First we set PCRE2_NOTEMPTY_ATSTART and try
@@ -1732,10 +1734,7 @@ matched:
to achieve this, unless we're already at the end of the string. */
if (start_offset < subject_len) {
size_t unit_len = calculate_unit_length(pce, piece);
start_offset += unit_len;
memcpy(ZSTR_VAL(result) + result_len, piece, unit_len);
result_len += unit_len;
} else {
goto not_matched;
}
@@ -1750,7 +1749,7 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - start_offset;
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
if (NULL != result) {
@@ -1760,8 +1759,8 @@ not_matched:
}
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - start_offset);
result_len += subject_len - start_offset;
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);
result_len += subject_len - last_end_offset;
ZSTR_VAL(result)[result_len] = '\0';
ZSTR_LEN(result) = result_len;
break;
@@ -1803,6 +1802,7 @@ static zend_string *php_pcre_replace_func_impl(pcre_cache_entry *pce, zend_strin
size_t new_len; /* Length of needed storage */
size_t alloc_len; /* Actual allocated length */
PCRE2_SIZE start_offset; /* Where the new search starts */
size_t last_end_offset; /* Where the last search ended */
char *match, /* The current match */
*piece; /* The current piece of subject */
size_t result_len; /* Length of result */
@@ -1832,6 +1832,7 @@ static zend_string *php_pcre_replace_func_impl(pcre_cache_entry *pce, zend_strin
/* Initialize */
match = NULL;
start_offset = 0;
last_end_offset = 0;
result_len = 0;
PCRE_G(error_code) = PHP_PCRE_NO_ERROR;
@@ -1864,7 +1865,7 @@ static zend_string *php_pcre_replace_func_impl(pcre_cache_entry *pce, zend_strin
options, match_data, mctx);
while (1) {
piece = subject + start_offset;
piece = subject + last_end_offset;
if (count >= 0 && limit) {
/* Check for too many substrings condition. */
@@ -1892,7 +1893,7 @@ matched:
/* Set the match location in subject */
match = subject + offsets[0];
new_len = result_len + offsets[0] - start_offset; /* part before the match */
new_len = result_len + offsets[0] - last_end_offset; /* part before the match */
/* Use custom function to get replacement string and its length. */
eval_result = preg_do_repl_func(
@@ -1924,7 +1925,7 @@ matched:
limit--;
/* Advance to the next piece. */
start_offset = offsets[1];
start_offset = last_end_offset = offsets[1];
/* If we have matched an empty string, mimic what Perl's /g options does.
This turns out to be rather cunning. First we set PCRE2_NOTEMPTY_ATSTART and try
@@ -1944,10 +1945,7 @@ matched:
to achieve this, unless we're already at the end of the string. */
if (start_offset < subject_len) {
size_t unit_len = calculate_unit_length(pce, piece);
start_offset += unit_len;
memcpy(ZSTR_VAL(result) + result_len, piece, unit_len);
result_len += unit_len;
} else {
goto not_matched;
}
@@ -1962,7 +1960,7 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - start_offset;
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
if (NULL != result) {
@@ -1972,8 +1970,8 @@ not_matched:
}
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - start_offset);
result_len += subject_len - start_offset;
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);
result_len += subject_len - last_end_offset;
ZSTR_VAL(result)[result_len] = '\0';
ZSTR_LEN(result) = result_len;
break;
ext/pcre/tests/bug79188.phpt
+13
View File
@@ -0,0 +1,13 @@
--TEST--
Bug #79188: Memory corruption in preg_replace/preg_replace_callback and unicode
--FILE--
<?php
var_dump(preg_replace("//u", "", "a" . str_repeat("\u{1f612}", 10)));
var_dump(preg_replace_callback(
"//u", function() { return ""; }, "a" . str_repeat("\u{1f612}", 10)));
?>
--EXPECT--
string(41) "a😒😒😒😒😒😒😒😒😒😒"
string(41) "a😒😒😒😒😒😒😒😒😒😒"