From: Theodore Brown <theodorejb@outlook.com>
Date: Sun, 25 Aug 2019 05:33:51 +0000 (-0500)
Subject: Fix #78454: Consecutive numeric separators cause OOM error
X-Git-Tag: php-7.4.0RC1~47
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1a78bdab276a9e34aa1ae00a184538e2d0dacdcd;p=php

Fix #78454: Consecutive numeric separators cause OOM error

Resolves out of memory error when consecutive numeric separators follow a binary/hex literal.
---

diff --git a/NEWS b/NEWS
index 45df257660..69913fdaa8 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
     (cmb, Nikita)
   . Fixed bug #78441 (Parse error due to heredoc identifier followed by digit).
     (cmb)
+  . Fixed bug #78454 (Consecutive numeric separators cause OOM error).
+    (Theodore Brown)
 
 - SPL:
   . Fixed bug #78436 (Missing addref in SplPriorityQueue EXTR_BOTH mode).
diff --git a/Zend/tests/bug78454_1.phpt b/Zend/tests/bug78454_1.phpt
new file mode 100644
index 0000000000..184d358372
--- /dev/null
+++ b/Zend/tests/bug78454_1.phpt
@@ -0,0 +1,7 @@
+--TEST--
+Invalid consecutive numeric separators after hex literal
+--FILE--
+<?php
+0x0__F;
+--EXPECTF--
+Parse error: syntax error, unexpected '__F' (T_STRING) in %s on line %d
diff --git a/Zend/tests/bug78454_2.phpt b/Zend/tests/bug78454_2.phpt
new file mode 100644
index 0000000000..b67b8396ac
--- /dev/null
+++ b/Zend/tests/bug78454_2.phpt
@@ -0,0 +1,7 @@
+--TEST--
+Invalid consecutive numeric separators after binary literal
+--FILE--
+<?php
+0b0__1
+--EXPECTF--
+Parse error: syntax error, unexpected '__1' (T_STRING) in %s on line %d
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
index 2e21ee7952..84ed669dfb 100644
--- a/Zend/zend_language_scanner.l
+++ b/Zend/zend_language_scanner.l
@@ -1775,7 +1775,7 @@ NEWLINE ("\r"|"\n"|"\r\n")
 	char *end, *bin = yytext + 2;
 
 	/* Skip any leading 0s */
-	while (*bin == '0' || *bin == '_') {
+	while (len > 0 && (*bin == '0' || *bin == '_')) {
 		++bin;
 		--len;
 	}
@@ -1892,7 +1892,7 @@ NEWLINE ("\r"|"\n"|"\r\n")
 	char *end, *hex = yytext + 2;
 
 	/* Skip any leading 0s */
-	while (*hex == '0' || *hex == '_') {
+	while (len > 0 && (*hex == '0' || *hex == '_')) {
 		++hex;
 		--len;
 	}