Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix buffer overflow in mb_ereg_replace
Summary:
This diff has already been landed to release and to open-source branches. We're now landing it on master.

CVE-2019-11935

Reviewed By: jjergus

Differential Revision: D18177934

fbshipit-source-id: d108a59e38c67f5f5e835febd7255307605ba62c
  • Loading branch information
skishore authored and facebook-github-bot committed Oct 29, 2019
1 parent 8b41a38 commit 1c51855
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 3 deletions.
11 changes: 8 additions & 3 deletions hphp/runtime/ext/mbstring/ext_mbstring.cpp
Expand Up @@ -3609,8 +3609,9 @@ static Variant _php_mb_regex_ereg_replace_exec(const Variant& pattern,
while (i < replacement.size()) {
int fwd = (int)php_mb_mbchar_bytes_ex(p, enc);
n = -1;
if ((replacement.size() - i) >= 2 && fwd == 1 &&
p[0] == '\\' && p[1] >= '0' && p[1] <= '9') {
auto const remaining = replacement.size() - i;
if (remaining >= 2 && fwd == 1 &&
p[0] == '\\' && p[1] >= '0' && p[1] <= '9') {
n = p[1] - '0';
}
if (n >= 0 && n < regs->num_regs) {
Expand All @@ -3621,10 +3622,14 @@ static Variant _php_mb_regex_ereg_replace_exec(const Variant& pattern,
}
p += 2;
i += 2;
} else {
} else if (remaining >= fwd) {
out_buf.append(p, fwd);
p += fwd;
i += fwd;
} else {
raise_warning("Replacement ends with unterminated %s: 0x%hhx",
enc->name, *p);
break;
}
}
n = regs->end[0];
Expand Down
@@ -0,0 +1,7 @@
<?hh

<<__EntryPoint>>
function main(): void {
var_dump(mb_ereg_replace("", "\xf1", "", ""));
throw new Error("done");
}
@@ -0,0 +1,7 @@
Warning: Replacement ends with unterminated UTF-8: 0xf1 in %s/mb_ereg_replace_invalid_replacement.php on line 5
string(0) ""

Fatal error: Uncaught Error: done in %s/mb_ereg_replace_invalid_replacement.php:6
Stack trace:
#0 (): main()
#1 {main}

0 comments on commit 1c51855

Please sign in to comment.