From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 28 Oct 2016 13:21:24 +0000 (+0800)
Subject: Fixed bug #73392 (A use-after-free in zend allocator management)
X-Git-Tag: php-7.1.0RC6~54^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e5aa3651470e5f741b16d4f3cd55b7ae6ac5d23a;p=php

Fixed bug #73392 (A use-after-free in zend allocator management)
---

diff --git a/NEWS b/NEWS
index be6738ae74..a0c5152bd5 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixded bug #72736 (Slow performance when fetching large dataset with mysqli
     / PDO). (Dmitry)
 
+- PCRE:
+  . Fixed bug #73392 (A use-after-free in zend allocator management). 
+    (Laruence)
+
 10 Nov 2016 PHP 7.0.13
 
 - Core:
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 31c97cf975..b1ffe7f228 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1523,7 +1523,10 @@ static int preg_replace_impl(zval *return_value, zval *regex, zval *replace, zva
 				RETVAL_STR(result);
 			} else {
 				zend_string_release(result);
+				RETVAL_NULL();
 			}
+		} else {
+			RETVAL_NULL();
 		}
 	}
 
@@ -1616,7 +1619,6 @@ static PHP_FUNCTION(preg_replace_callback_array)
 		Z_PARAM_ZVAL_EX(zcount, 0, 1)
 	ZEND_PARSE_PARAMETERS_END();
 
-	ZVAL_UNDEF(&zv);
 	ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pattern), str_idx, replace) {
 		if (str_idx) {
 			ZVAL_STR_COPY(&regex, str_idx);
@@ -1645,10 +1647,6 @@ static PHP_FUNCTION(preg_replace_callback_array)
 
 		zval_ptr_dtor(&regex);
 
-		if (Z_ISUNDEF(zv)) {
-			RETURN_NULL();
-		}
-
 		ZVAL_COPY_VALUE(return_value, &zv);
 
 		if (UNEXPECTED(EG(exception))) {
diff --git a/ext/pcre/tests/bug73392.phpt b/ext/pcre/tests/bug73392.phpt
new file mode 100644
index 0000000000..2b432543b8
--- /dev/null
+++ b/ext/pcre/tests/bug73392.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #73392 (A use-after-free in zend allocator management)
+--FILE--
+<?php
+class Rep {
+	public function __invoke() {
+		return "d";
+	}
+}
+class Foo {
+	public static function rep($rep) {
+		return "ok";
+	}
+}
+function b() {
+	return "b";
+}
+var_dump(preg_replace_callback_array(
+	array(
+		"/a/" => 'b',	"/b/" => function () { return "c"; }, "/c/" => new Rep, "reporting" => array("Foo", "rep"),  "a1" => array("Foo", "rep"),
+	), 'a'));
+?>
+
+--EXPECTF--
+Warning: preg_replace_callback_array(): Delimiter must not be alphanumeric or backslash in %sbug73392.php on line %d
+
+Warning: preg_replace_callback_array(): Delimiter must not be alphanumeric or backslash in %sbug73392.php on line %d
+NULL