Skip to content

Commit

Permalink
Merge branch 'PHP-7.0' into PHP-7.1
Browse files Browse the repository at this point in the history
* PHP-7.0:
  Fixed bug #73392 (A use-after-free in zend allocator management)
  • Loading branch information
laruence committed Oct 28, 2016
2 parents 2e24335 + e5aa365 commit 7778bdc
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 5 deletions.
8 changes: 3 additions & 5 deletions ext/pcre/php_pcre.c
Original file line number Diff line number Diff line change
Expand Up @@ -1523,7 +1523,10 @@ static int preg_replace_impl(zval *return_value, zval *regex, zval *replace, zva
RETVAL_STR(result);
} else {
zend_string_release(result);
RETVAL_NULL();
}
} else {
RETVAL_NULL();
}
}

Expand Down Expand Up @@ -1616,7 +1619,6 @@ static PHP_FUNCTION(preg_replace_callback_array)
Z_PARAM_ZVAL_EX(zcount, 0, 1)
ZEND_PARSE_PARAMETERS_END();

ZVAL_UNDEF(&zv);
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pattern), str_idx, replace) {
if (str_idx) {
ZVAL_STR_COPY(&regex, str_idx);
Expand Down Expand Up @@ -1645,10 +1647,6 @@ static PHP_FUNCTION(preg_replace_callback_array)

zval_ptr_dtor(&regex);

if (Z_ISUNDEF(zv)) {
RETURN_NULL();
}

ZVAL_COPY_VALUE(return_value, &zv);

if (UNEXPECTED(EG(exception))) {
Expand Down
28 changes: 28 additions & 0 deletions ext/pcre/tests/bug73392.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
--TEST--
Bug #73392 (A use-after-free in zend allocator management)
--FILE--
<?php
class Rep {
public function __invoke() {
return "d";
}
}
class Foo {
public static function rep($rep) {
return "ok";
}
}
function b() {
return "b";
}
var_dump(preg_replace_callback_array(
array(
"/a/" => 'b', "/b/" => function () { return "c"; }, "/c/" => new Rep, "reporting" => array("Foo", "rep"), "a1" => array("Foo", "rep"),
), 'a'));
?>

--EXPECTF--
Warning: preg_replace_callback_array(): Delimiter must not be alphanumeric or backslash in %sbug73392.php on line %d

Warning: preg_replace_callback_array(): Delimiter must not be alphanumeric or backslash in %sbug73392.php on line %d
NULL

0 comments on commit 7778bdc

Please sign in to comment.