Fix #77367: Negative size parameter in mb_split

cmb69 · cmb69 · commit 11ce508ee339 · 2019-01-07T13:46:49.000+01:00
When adding the last element to the result value of `mb_split`, the `chunk_pos` may point beyond the end of the string, in which case the unsigned `n` would underflow. Therefore, we check whether this is the case in the first place, and only calculate `n` otherwise. Since `n` is no longer used outside the block, we move its declaration inside. (cherry picked from commit e617f03)
diff --git a/NEWS b/NEWS
@@ -31,6 +31,9 @@ PHP                                                                        NEWS
     use-after-free). (cmb)
   . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
 
+- MBString:
+  . Fixed bug #77367 (Negative size parameter in mb_split). (Stas)
+
 - OCI8:
   . Fixed bug #76804 (oci_pconnect with OCI_CRED_EXT not working). (KoenigsKind)
   . Added oci_set_call_timeout() for call timeouts.
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
@@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split)
 	size_t string_len;
 
 	int err;
-	size_t n;
 	zend_long count = -1;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
@@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split)
 	}
 
 	/* otherwise we just have one last element to add to the array */
-	n = ((OnigUChar *)(string + string_len) - chunk_pos);
-	if (n > 0) {
+	if ((OnigUChar *)(string + string_len) > chunk_pos) {
+		size_t n = ((OnigUChar *)(string + string_len) - chunk_pos);
 		add_next_index_stringl(return_value, (char *)chunk_pos, n);
 	} else {
 		add_next_index_stringl(return_value, "", 0);
diff --git a/ext/mbstring/tests/bug77367.phpt b/ext/mbstring/tests/bug77367.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #77367 (Negative size parameter in mb_split)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('mbstring extension not available');
+if (!function_exists('mb_split')) die('mb_split() not available');
+?>
+--FILE--
+<?php
+mb_regex_encoding('UTF-8');
+var_dump(mb_split("\\w", "\xfc"));
+?>
+===DONE===
+--EXPECT--
+array(2) {
+  [0]=>
+  string(0) ""
+  [1]=>
+  string(0) ""
+}
+===DONE===
