Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code Execution)

diff --git a/NEWS b/NEWS
index 66441f745b83fc761e42f30f173e91c4532b5bbf..384f11e9720d248fb2e754c220cc9f1f159ce30d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug #70111 (Segfault when a function uses both an explicit return
     type and an explicit cast). (Laruence)
 
+- Standard:
+  . Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code
+    Execution). (Laruence)
+
 23 Jul 2015, PHP 7.0.0 Beta 2
 
 - Core:

diff --git a/ext/standard/string.c b/ext/standard/string.c
index bb482ba7a159e7f5976b99212c87552b0f46f2ad..2a9ddb2a180b85feca3de464ff9aa54afb71e361 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4055,7 +4055,7 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s
                                                Z_STRVAL_P(search), Z_STRLEN_P(search),
                                                Z_STRVAL_P(replace), Z_STRLEN_P(replace), &replace_count));
                        } else {
-                               lc_subject_str = php_string_tolower(Z_STR_P(subject));
+                               lc_subject_str = php_string_tolower(subject_str);
                                ZVAL_STR(result, php_str_to_str_i_ex(subject_str, ZSTR_VAL(lc_subject_str),
                                                Z_STR_P(search),
                                                Z_STRVAL_P(replace), Z_STRLEN_P(replace), &replace_count));