Validate subject encoding in mb_split and mb_ereg_match

We were already validating the subject encoding in most functions, but not these two.
php · Mar 28, 2019 · 0ecac37 · 0ecac37
1 parent 40fe50d
commit 0ecac37
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
@@ -1114,6 +1114,11 @@ PHP_FUNCTION(mb_split)
 		count--;
 	}
 
+	if (!php_mb_check_encoding(string, string_len,
+			_php_mb_regex_mbctype2name(MBREX(current_mbctype)))) {
+		RETURN_FALSE;
+	}
+
 	/* create regex pattern buffer */
 	if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, MBREX(regex_default_options), MBREX(current_mbctype), MBREX(regex_default_syntax))) == NULL) {
 		RETURN_FALSE;
@@ -1203,6 +1208,11 @@ PHP_FUNCTION(mb_ereg_match)
 		}
 	}
 
+	if (!php_mb_check_encoding(string, string_len,
+			_php_mb_regex_mbctype2name(MBREX(current_mbctype)))) {
+		RETURN_FALSE;
+	}
+
 	if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, option, MBREX(current_mbctype), syntax)) == NULL) {
 		RETURN_FALSE;
 	}

diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt
@@ -1,5 +1,5 @@
 --TEST--
-Bug #77371 (Heap overflow in utf32be_mbc_to_code)
+Bug #77418 (Heap overflow in utf32be_mbc_to_code)
 --SKIPIF--
 <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
 --FILE--
@@ -8,7 +8,4 @@ mb_regex_encoding("UTF-32");
 var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
 ?>
 --EXPECT--
-array(1) {
-  [0]=>
-  string(30) "000000000000000000000000000000"
-}
+bool(false)