diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 7 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug43301.phpt | 21 |
3 files changed, 29 insertions, 1 deletions
@@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2008, PHP 5.2.6 +- Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid + PHP expression and 'e' option is used). (Jani) - Fixed bug #43293 (Multiple segfaults in getopt()). (Hannes) - Fixed bug #43279 (pg_send_query_params() converts all elements in 'params' to strings). (Ilia) diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 81b39b1bd8..99e1a5fde7 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -737,7 +737,12 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp /* null terminate buffer */ smart_str_appendc(&eval_buf, '\0'); /* do eval */ - zend_eval_string(eval_buf.c, &v, description TSRMLS_CC); + if (zend_eval_string(eval_buf.c, &v, description TSRMLS_CC) == FAILURE) { + efree(description); + php_error_docref(NULL TSRMLS_CC,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, eval_buf.c); + /* zend_error() does not return in this case */ + } + /* result of eval */ convert_to_string(&v); smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v)); diff --git a/ext/mbstring/tests/bug43301.phpt b/ext/mbstring/tests/bug43301.phpt new file mode 100644 index 0000000000..71b169c12c --- /dev/null +++ b/ext/mbstring/tests/bug43301.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php + +$ptr = 'hello'; + +$txt = <<<doc +hello, I have got a cr*sh on you +doc; + +echo mb_ereg_replace($ptr,'$1',$txt,'e'); + +?> +--EXPECTF-- +Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in %s/bug43301.php(%d) : mbregex replace on line 1 + +Fatal error: mb_ereg_replace(): Failed evaluating code: +$1 in %s/bug43301.php on line %d |