fix segfault/leak, add test

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index e10802be9f8fb03118554ff9fd5900516d47bc32..4c381c3755bc03e72015d270f60282f7296e4fd3 100644 (file)
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -518,7 +518,7 @@ PHP_FUNCTION(mb_regex_encoding)
 static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
 {
        zval tmp;
-       zval *arg_pattern, *array;
+       zval **arg_pattern, *array;
        char *string;
        int string_len;
        php_mb_regex_t *re;
@@ -529,7 +529,7 @@ static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
 
        array = NULL;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "zs|z", &arg_pattern, &string, &string_len, &array) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zs|z", &arg_pattern, &string, &string_len, &array) == FAILURE) {
                RETURN_FALSE;
        }
 
@@ -539,18 +539,15 @@ static void _php_mb_regex_ereg_exec(INTERNAL_FUNCTION_PARAMETERS, int icase)
        }
 
        /* compile the regular expression from the supplied regex */
-       if (Z_TYPE_P(arg_pattern) != IS_STRING) {
+       if (Z_TYPE_PP(arg_pattern) != IS_STRING) {
                /* we convert numbers to integers and treat them as a string */
-               tmp = *arg_pattern;
-               zval_copy_ctor(&tmp);
-               if (Z_TYPE_P(&tmp) == IS_DOUBLE) {
-                       convert_to_long(&tmp);  /* get rid of decimal places */
+               if (Z_TYPE_PP(arg_pattern) == IS_DOUBLE) {
+                       convert_to_long_ex(arg_pattern);        /* get rid of decimal places */
                }
-               convert_to_string(&tmp);
-               arg_pattern = &tmp;
+               convert_to_string_ex(arg_pattern);
                /* don't bother doing an extended regex with just a number */
        }
-       re = php_mbregex_compile_pattern(Z_STRVAL_P(arg_pattern), Z_STRLEN_P(arg_pattern), options, MBSTRG(current_mbctype), MBSTRG(regex_default_syntax) TSRMLS_CC);
+       re = php_mbregex_compile_pattern(Z_STRVAL_PP(arg_pattern), Z_STRLEN_PP(arg_pattern), options, MBSTRG(current_mbctype), MBSTRG(regex_default_syntax) TSRMLS_CC);
        if (re == NULL) {
                RETVAL_FALSE;
                goto out;
@@ -590,9 +587,6 @@ out:
        if (regs != NULL) {
                onig_region_free(regs, 1);
        }
-       if (arg_pattern == &tmp) {
-               zval_dtor(&tmp);
-       }
 }
 /* }}} */
 

diff --git a/ext/mbstring/tests/mb_ereg1.phpt b/ext/mbstring/tests/mb_ereg1.phpt
new file mode 100644 (file)
index 0000000..e420312
--- /dev/null
+++ b/ext/mbstring/tests/mb_ereg1.phpt
@@ -0,0 +1,79 @@
+--TEST--
+mb_ereg() and invalid arguments
+--SKIPIF--
+<?php if (!function_exists("mb_ereg")) print "skip"; ?>
+--FILE--
+<?php
+
+$a = array(
+       array(1,2,3),
+       array("", "", ""),
+       array(array(), 1, ""),
+       array(1, array(), ""),
+       array(1, "", array()),
+       );
+
+foreach ($a as $args) {
+       var_dump(mb_ereg($args[0], $args[1], $args[2]));
+       var_dump($args);
+}
+
+echo "Done\n";
+?>
+--EXPECTF--    
+bool(false)
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  int(2)
+  [2]=>
+  int(3)
+}
+int(1)
+array(3) {
+  [0]=>
+  string(0) ""
+  [1]=>
+  string(0) ""
+  [2]=>
+  array(1) {
+    [0]=>
+    bool(false)
+  }
+}
+
+Notice: Array to string conversion in %s on line %d
+bool(false)
+array(3) {
+  [0]=>
+  array(0) {
+  }
+  [1]=>
+  int(1)
+  [2]=>
+  string(0) ""
+}
+
+Warning: mb_ereg() expects parameter 2 to be string, array given in %s on line %d
+bool(false)
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  array(0) {
+  }
+  [2]=>
+  string(0) ""
+}
+bool(false)
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  string(0) ""
+  [2]=>
+  array(0) {
+  }
+}
+Done