Fix #77367: Negative size parameter in mb_split

When adding the last element to the result value of `mb_split`, the
`chunk_pos` may point beyond the end of the string, in which case the
unsigned `n` would underflow.  Therefore, we check whether this is the
case in the first place, and only calculate `n` otherwise.  Since `n`
is no longer used outside the block, we move its declaration inside.

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 68922b696653af386a8b5faca06ff99d66e0f75a..85219b00e4f0300fce747f42f363608adce01fd4 100644 (file)
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split)
        size_t string_len;
 
        int err;
-       size_t n;
        zend_long count = -1;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
@@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split)
        }
 
        /* otherwise we just have one last element to add to the array */
-       n = ((OnigUChar *)(string + string_len) - chunk_pos);
-       if (n > 0) {
+       if ((OnigUChar *)(string + string_len) > chunk_pos) {
+               size_t n = ((OnigUChar *)(string + string_len) - chunk_pos);
                add_next_index_stringl(return_value, (char *)chunk_pos, n);
        } else {
                add_next_index_stringl(return_value, "", 0);

diff --git a/ext/mbstring/tests/bug77367.phpt b/ext/mbstring/tests/bug77367.phpt
new file mode 100644 (file)
index 0000000..0ba76fd
--- /dev/null
+++ b/ext/mbstring/tests/bug77367.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #77367 (Negative size parameter in mb_split)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('mbstring extension not available');
+if (!function_exists('mb_split')) die('mb_split() not available');
+?>
+--FILE--
+<?php
+mb_regex_encoding('UTF-8');
+var_dump(mb_split("\\w", "\xfc"));
+?>
+===DONE===
+--EXPECT--
+array(2) {
+  [0]=>
+  string(0) ""
+  [1]=>
+  string(0) ""
+}
+===DONE===