]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7938ebf)
Fix #72823: strtr out-of-bound access
authorChristoph M. Becker <cmbecker69@gmx.de>
Sat, 13 Aug 2016 09:39:16 +0000 (11:39 +0200)
committerChristoph M. Becker <cmbecker69@gmx.de>
Sat, 13 Aug 2016 09:40:33 +0000 (11:40 +0200)
If php_strtr_array_prepare_repls() reports pattern_len == 0, we return
early to avoid OOB accesses, and because there is nothing to replace anyway.

NEWS patch | blob | history
ext/standard/string.c patch | blob | history
ext/standard/tests/strings/bug72823.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index 90215cdbfc57c2307e8a3b107dbae5d1d22a543f..7bf6fbf3f718d5b91b27e0fa9cb32fd23fdecbca 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,9 @@ PHP                                                                        NEWS
   . Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY
     returns false). (cmb)
 
+- Standard:
+  . Fixed bug #72823 (strtr out-of-bound access). (cmb)
+
 18 Aug 2016, PHP 5.6.25
 
 - Core:
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 1ecbdb97ce01f50d887ec92a513273bf5a746e21..9498496fce84e52af15f3862533090a7d9233a17 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2989,7 +2989,7 @@ static PPRES *php_strtr_array_prepare(STR *text, PATNREPL *patterns, int patnum,
                        res->m = L(&patterns[i].pat);
                }
        }
-       assert(res->m > 0);
+       assert(res->m > 0 && res->m != (STRLEN)-1);
        res->B  = B             = MIN(B, res->m);
        res->Bp = Bp    = MIN(Bp, res->m);
 
@@ -3131,6 +3131,12 @@ static void php_strtr_array(zval *return_value, char *str, int slen, HashTable *
        if (patterns == NULL) {
                RETURN_FALSE;
        }
+       if (patterns_len == 0) {
+               efree(patterns);
+               zend_llist_destroy(allocs);
+               efree(allocs);
+               RETURN_STRINGL(str, slen, 1);
+       }
        data = php_strtr_array_prepare(&text, patterns, patterns_len, 2, 2);
        efree(patterns);
        php_strtr_array_do_repl(&text, data, return_value);
diff --git a/ext/standard/tests/strings/bug72823.phpt b/ext/standard/tests/strings/bug72823.phpt
new file mode 100644 (file)
index 0000000..d0aaf0f
--- /dev/null
+++ b/ext/standard/tests/strings/bug72823.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72823 (strtr out-of-bound access)
+--FILE--
+<?php
+var_dump(
+    strtr(11, array('aaa' => 'bbb'))
+);
+?>
+===DONE===
+--EXPECT--
+string(2) "11"
+===DONE===
Unnamed repository; edit this file 'description' to name the repository.