Fix bug #77370 - check that we do not read past buffer end when parsi…

…ng multibytes
php · Jan 6, 2019 · 20407d0 · 20407d0
1 parent a918020
commit 20407d0
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
 }
 #endif
 
+#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+#else
+# define UNEXPECTED(condition) (condition)
+#endif
+
 /* scan pattern methods */
 #define PEND_VALUE   0
 
@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   pfetch_prev = p; \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 
 #define PINC_S     do { \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 #define PFETCH_S(c) do { \
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 
 #define PPEEK        (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)

diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_split("   \xfd",""));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(0) ""
+}