From: Xinchen Hui <laruence@php.net>
Date: Mon, 27 Jul 2015 03:17:05 +0000 (+0800)
Subject: Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code Execution)
X-Git-Tag: php-7.0.0beta3~5^2~98
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6aeee47b2cd47915ccfa3b41433a3f57aea24dd5;p=php

Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code Execution)
---

diff --git a/NEWS b/NEWS
index 66441f745b..384f11e972 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug #70111 (Segfault when a function uses both an explicit return
     type and an explicit cast). (Laruence)
 
+- Standard:
+  . Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code
+    Execution). (Laruence)
+
 23 Jul 2015, PHP 7.0.0 Beta 2
 
 - Core:
diff --git a/ext/standard/string.c b/ext/standard/string.c
index bb482ba7a1..2a9ddb2a18 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4055,7 +4055,7 @@ static zend_long php_str_replace_in_subject(zval *search, zval *replace, zval *s
 						Z_STRVAL_P(search), Z_STRLEN_P(search),
 						Z_STRVAL_P(replace), Z_STRLEN_P(replace), &replace_count));
 			} else {
-				lc_subject_str = php_string_tolower(Z_STR_P(subject));
+				lc_subject_str = php_string_tolower(subject_str);
 				ZVAL_STR(result, php_str_to_str_i_ex(subject_str, ZSTR_VAL(lc_subject_str),
 						Z_STR_P(search),
 						Z_STRVAL_P(replace), Z_STRLEN_P(replace), &replace_count));