diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-06-21 00:25:49 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-06-21 00:25:49 -0700 |
| commit | 8705254f2d4f73e22f150bc501fa534e7742754b (patch) | |
| tree | ce7ed8773821b35004011586976263da6991a331 /ext/mbstring | |
| parent | d002037dc1304f3b936593cb1907cfcf8baf8a06 (diff) | |
| parent | 2a65544f788654946bfe49e114efa748246fdd52 (diff) | |
| download | php-git-8705254f2d4f73e22f150bc501fa534e7742754b.tar.gz | |
Merge branch 'PHP-7.0.8' into PHP-7.0
* PHP-7.0.8:
iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
update NEWS
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
Fix bug #72321 - use efree() for emalloc allocation
5.6.23RC1
fix NEWS
set versions
Conflicts:
configure.in
main/php_version.h
Diffstat (limited to 'ext/mbstring')
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug72402.phpt | 17 |
2 files changed, 17 insertions, 1 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 2337926740..573a5e9b9c 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -988,7 +988,6 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp smart_str_free(&eval_buf); zval_ptr_dtor(&retval); } else { - efree(description); if (!EG(exception)) { php_error_docref(NULL, E_WARNING, "Unable to call custom replacement function"); } diff --git a/ext/mbstring/tests/bug72402.phpt b/ext/mbstring/tests/bug72402.phpt new file mode 100644 index 0000000000..abb290bf4d --- /dev/null +++ b/ext/mbstring/tests/bug72402.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #72402: _php_mb_regex_ereg_replace_exec - double free +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +function throwit() { + throw new Exception('it'); +} +$var10 = "throwit"; +try { + $var14 = mb_ereg_replace_callback("", $var10, ""); +} catch(Exception $e) {} +?> +DONE +--EXPECT-- +DONE
\ No newline at end of file |