Skip to content

Commit 5b597a2

Browse files
committed
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
1 parent e9ac895 commit 5b597a2

File tree

2 files changed

+19
-3
lines changed

2 files changed

+19
-3
lines changed

Diff for: ext/mbstring/php_mbregex.c

+2-3
Original file line numberDiff line numberDiff line change
@@ -953,7 +953,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
953953
eval_buf.len = 0;
954954
zval_dtor(&v);
955955
} else if (is_callable) {
956-
zval *retval_ptr;
956+
zval *retval_ptr = NULL;
957957
zval **args[1];
958958
zval *subpats;
959959
int i;
@@ -972,13 +972,12 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
972972
arg_replace_fci.param_count = 1;
973973
arg_replace_fci.params = args;
974974
arg_replace_fci.retval_ptr_ptr = &retval_ptr;
975-
if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) {
975+
if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) {
976976
convert_to_string_ex(&retval_ptr);
977977
smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr));
978978
eval_buf.len = 0;
979979
zval_ptr_dtor(&retval_ptr);
980980
} else {
981-
efree(description);
982981
if (!EG(exception)) {
983982
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function");
984983
}

Diff for: ext/mbstring/tests/bug72402.phpt

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
--TEST--
2+
Bug #72402: _php_mb_regex_ereg_replace_exec - double free
3+
--SKIPIF--
4+
<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
5+
--FILE--
6+
<?php
7+
function throwit() {
8+
throw new Exception('it');
9+
}
10+
$var10 = "throwit";
11+
try {
12+
$var14 = mb_ereg_replace_callback("", $var10, "");
13+
} catch(Exception $e) {}
14+
?>
15+
DONE
16+
--EXPECT--
17+
DONE

0 commit comments

Comments
 (0)