Fixed(attempt to) bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access)

laruence · laruence · commit 999a3553d58c · 2016-06-15T14:54:57.000+08:00
according to ext/mbstring/oniguruma/enc/utf8.c, max bytes are 6
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.9
 
 - Mbstring:
+  . Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) -
+    oob read access). (Laruence)
   . Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)
 
 - Standard:
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
@@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 	OnigUChar *pos;
 	OnigUChar *string_lim;
 	char *description = NULL;
-	char pat_buf[4];
+	char pat_buf[6];
 
 	const mbfl_encoding *enc;
 
@@ -864,6 +864,8 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 		pat_buf[1] = '\0';
 		pat_buf[2] = '\0';
 		pat_buf[3] = '\0';
+		pat_buf[4] = '\0';
+		pat_buf[5] = '\0';
 
 		arg_pattern = pat_buf;
 		arg_pattern_len = 1;
