From 8e258a127d3b956acd6d063dc5910adab0f03973 Mon Sep 17 00:00:00 2001 From: Zhou Qingyang Date: Tue, 29 Mar 2022 22:48:34 +0800 Subject: [PATCH] Fix a NULL pointer dereference bug lead by php_pcre_replace_impl() php_pcre_replace_impl() will return NULL on failure. However, in the implementation of RegexIterator::accept() the return value of php_pcre_replace_impl() is directly used without any check, which leads to a NULL pointer dereference. Fix this by adding a NULL check, and returning false in that case. Closes GH-8271 Signed-off-by: George Peter Banyard --- ext/spl/spl_iterators.c | 7 ++++++- ext/spl/tests/gh8271.phpt | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/gh8271.phpt diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c index 9c7ca4e324481..6176b45d707e7 100644 --- a/ext/spl/spl_iterators.c +++ b/ext/spl/spl_iterators.c @@ -1866,6 +1866,12 @@ PHP_METHOD(RegexIterator, accept) } result = php_pcre_replace_impl(intern->u.regex.pce, subject, ZSTR_VAL(subject), ZSTR_LEN(subject), replacement_str, -1, &count); + zend_string_release(replacement_str); + zend_string_release(subject); + + if (!result) { + RETURN_FALSE; + } if (intern->u.regex.flags & REGIT_USE_KEY) { zval_ptr_dtor(&intern->current.key); @@ -1875,7 +1881,6 @@ PHP_METHOD(RegexIterator, accept) ZVAL_STR(&intern->current.data, result); } - zend_string_release(replacement_str); RETVAL_BOOL(count > 0); } } diff --git a/ext/spl/tests/gh8271.phpt b/ext/spl/tests/gh8271.phpt new file mode 100644 index 0000000000000..cbf1ee57c61c2 --- /dev/null +++ b/ext/spl/tests/gh8271.phpt @@ -0,0 +1,37 @@ +--TEST-- +GH-8271: NULL pointer dereference in RegexIterator::accept() +--EXTENSIONS-- +spl +--FILE-- + +--EXPECT-- +array(2) { + [1]=> + string(2) "br" + [2]=> + string(2) "bz" +} +array(2) { + [1]=> + string(2) "br" + [2]=> + string(2) "bz" +}