Fixed bug #71537 (PCRE segfault from Opcache)

diff --git a/NEWS b/NEWS
index 5ea1dff38f4a1e995c68edc42496a4fed561424c..1a18dbe4b05c00951bc57799cf33c99e4a30bd46 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,9 @@ PHP                                                                        NEWS
   . Fixed bug #71529 (Variable references on array elements don't work when
     using count). (Nikita)
 
+- PCRE:
+  . Fixed bug #71537 (PCRE segfault from Opcache). (Laruence)
+
 - CURL:
   . Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes
     while curl_multi_exec). (Laruence)

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index ee3e36b6ab8fcbe18e589024b8b5c86caa592147..93bfc0005246e42d7de793b296894dc814913c76 100644 (file)
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1350,7 +1350,6 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
 static zend_string *php_replace_in_subject(zval *regex, zval *replace, zval *subject, int limit, int is_callable_replace, int *replace_count)
 {
        zval            *regex_entry,
-                               *replace_entry = NULL,
                                *replace_value,
                                 empty_replace;
        zend_string *result;
@@ -1372,25 +1371,26 @@ static zend_string *php_replace_in_subject(zval *regex, zval *replace, zval *sub
 
                /* For each entry in the regex array, get the entry */
                ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(regex), regex_entry) {
+                       zval replace_str;
                        /* Make sure we're dealing with strings. */
                        zend_string *regex_str = zval_get_string(regex_entry);
 
+                       ZVAL_UNDEF(&replace_str);
                        /* If replace is an array and not a callable construct */
                        if (Z_TYPE_P(replace) == IS_ARRAY && !is_callable_replace) {
                                /* Get current entry */
-                               replace_entry = NULL;
                                while (replace_idx < Z_ARRVAL_P(replace)->nNumUsed) {
                                        if (Z_TYPE(Z_ARRVAL_P(replace)->arData[replace_idx].val) != IS_UNDEF) {
-                                               replace_entry = &Z_ARRVAL_P(replace)->arData[replace_idx].val;
+                                               ZVAL_COPY(&replace_str, &Z_ARRVAL_P(replace)->arData[replace_idx].val);
                                                break;
                                        }
                                        replace_idx++;
                                }
-                               if (replace_entry != NULL) {
+                               if (!Z_ISUNDEF(replace_str)) {
                                        if (!is_callable_replace) {
-                                               convert_to_string_ex(replace_entry);
+                                               convert_to_string(&replace_str);
                                        }
-                                       replace_value = replace_entry;
+                                       replace_value = &replace_str;
                                        replace_idx++;
                                } else {
                                        /* We've run out of replacement strings, so use an empty one */
@@ -1413,10 +1413,12 @@ static zend_string *php_replace_in_subject(zval *regex, zval *replace, zval *sub
                        } else {
                                zend_string_release(subject_str);
                                zend_string_release(regex_str);
+                               zval_dtor(&replace_str);
                                return NULL;
                        }
 
                        zend_string_release(regex_str);
+                       zval_dtor(&replace_str);
                } ZEND_HASH_FOREACH_END();
 
                return subject_str;