Fixed bug #72399 (Use-After-Free in MBString (search_re))

laruence · laruence · commit 3d5641872239 · 2016-06-13T18:20:26.000-07:00
diff --git a/NEWS b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016 PHP 7.0.9
 
+- Mbstring:
+  . Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)
 
 - Standard:
   . Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
@@ -459,8 +459,12 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 			retval = NULL;
 			goto out;
 		}
+		if (rc == MBREX(search_re)) {
+			/* reuse the new rc? see bug #72399 */
+			MBREX(search_re) = NULL;
+		}
 		zend_hash_str_update_ptr(&MBREX(ht_rc), (char *)pattern, patlen, retval);
-	} else if (rc) {
+	} else {
 		retval = rc;
 	}
 out:
diff --git a/ext/mbstring/tests/bug72399.phpt b/ext/mbstring/tests/bug72399.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #72399 (Use-After-Free in MBString (search_re))
+--FILE--
+<?php
+$var5 = mbereg_search_init("","2");
+$var6 = mb_eregi_replace("2","","");
+$var13 = mbereg_search_pos();
+?>
+--EXPECTF--
+Warning: mbereg_search_pos(): No regex given in %sbug72399.php on line %d

Original file line number	Diff line number	Diff line change
`@@ -459,8 +459,12 @@ static php_mb_regex_t php_mbregex_compile_pattern(const char pattern, int patl`
`459`	`459`	`retval = NULL;`
`460`	`460`	`goto out;`
`461`	`461`	`}`
	`462`	`+ if (rc == MBREX(search_re)) {`
	`463`	`+ /* reuse the new rc? see bug #72399 */`
	`464`	`+ MBREX(search_re) = NULL;`
	`465`	`+ }`
`462`	`466`	`zend_hash_str_update_ptr(&MBREX(ht_rc), (char *)pattern, patlen, retval);`
`463`		`- } else if (rc) {`
	`467`	`+ } else {`
`464`	`468`	`retval = rc;`
`465`	`469`	`}`
`466`	`470`	`out:`