Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code Execution)

author: Xinchen Hui <laruence@php.net> 2015-07-27 11:17:05 +0800
committer: Xinchen Hui <laruence@php.net> 2015-07-27 11:17:05 +0800
commit: 6aeee47b2cd47915ccfa3b41433a3f57aea24dd5 (patch)
tree: 22f8fc07693a91065da6b18e3227c59917278e0f
parent: d44fc4a07361d2527dd7073b09e5e88134708858 (diff)
download: php-git-6aeee47b2cd47915ccfa3b41433a3f57aea24dd5.tar.gz
2 files changed, 5 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 66441f745b..384f11e972 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug #70111 (Segfault when a function uses both an explicit return
     type and an explicit cast). (Laruence)
 
+- Standard:
+  . Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code
+    Execution). (Laruence)
+
 23 Jul 2015, PHP 7.0.0 Beta 2
 
 - Core:
diff --git a/ext/standard/string.c b/ext/standard/string.c
index bb482ba7a1..2a9ddb2a18 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4055,7 +4055,7 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s
 						Z_STRVAL_P(search), Z_STRLEN_P(search),
 						Z_STRVAL_P(replace), Z_STRLEN_P(replace), &replace_count));
 			} else {
-				lc_subject_str = php_string_tolower(Z_STR_P(subject));
+				lc_subject_str = php_string_tolower(subject_str);
 				ZVAL_STR(result, php_str_to_str_i_ex(subject_str, ZSTR_VAL(lc_subject_str),
 						Z_STR_P(search),
 						Z_STRVAL_P(replace), Z_STRLEN_P(replace), &replace_count));
author	Xinchen Hui <laruence@php.net>	2015-07-27 11:17:05 +0800
committer	Xinchen Hui <laruence@php.net>	2015-07-27 11:17:05 +0800
commit	6aeee47b2cd47915ccfa3b41433a3f57aea24dd5 (patch)
tree	22f8fc07693a91065da6b18e3227c59917278e0f
parent	d44fc4a07361d2527dd7073b09e5e88134708858 (diff)
download	php-git-6aeee47b2cd47915ccfa3b41433a3f57aea24dd5.tar.gz