From 1a78bdab276a9e34aa1ae00a184538e2d0dacdcd Mon Sep 17 00:00:00 2001
From: Theodore Brown <theodorejb@outlook.com>
Date: Sun, 25 Aug 2019 00:33:51 -0500
Subject: [PATCH] Fix #78454: Consecutive numeric separators cause OOM error

Resolves out of memory error when consecutive numeric separators follow a binary/hex literal.
---
 NEWS                         | 2 ++
 Zend/tests/bug78454_1.phpt   | 7 +++++++
 Zend/tests/bug78454_2.phpt   | 7 +++++++
 Zend/zend_language_scanner.l | 4 ++--
 4 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/bug78454_1.phpt
 create mode 100644 Zend/tests/bug78454_2.phpt

diff --git a/NEWS b/NEWS
index 45df257660..69913fdaa8 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
     (cmb, Nikita)
   . Fixed bug #78441 (Parse error due to heredoc identifier followed by digit).
     (cmb)
+  . Fixed bug #78454 (Consecutive numeric separators cause OOM error).
+    (Theodore Brown)
 
 - SPL:
   . Fixed bug #78436 (Missing addref in SplPriorityQueue EXTR_BOTH mode).
diff --git a/Zend/tests/bug78454_1.phpt b/Zend/tests/bug78454_1.phpt
new file mode 100644
index 0000000000..184d358372
--- /dev/null
+++ b/Zend/tests/bug78454_1.phpt
@@ -0,0 +1,7 @@
+--TEST--
+Invalid consecutive numeric separators after hex literal
+--FILE--
+<?php
+0x0__F;
+--EXPECTF--
+Parse error: syntax error, unexpected '__F' (T_STRING) in %s on line %d
diff --git a/Zend/tests/bug78454_2.phpt b/Zend/tests/bug78454_2.phpt
new file mode 100644
index 0000000000..b67b8396ac
--- /dev/null
+++ b/Zend/tests/bug78454_2.phpt
@@ -0,0 +1,7 @@
+--TEST--
+Invalid consecutive numeric separators after binary literal
+--FILE--
+<?php
+0b0__1
+--EXPECTF--
+Parse error: syntax error, unexpected '__1' (T_STRING) in %s on line %d
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
index 2e21ee7952..84ed669dfb 100644
--- a/Zend/zend_language_scanner.l
+++ b/Zend/zend_language_scanner.l
@@ -1775,7 +1775,7 @@ NEWLINE ("\r"|"\n"|"\r\n")
 	char *end, *bin = yytext + 2;
 
 	/* Skip any leading 0s */
-	while (*bin == '0' || *bin == '_') {
+	while (len > 0 && (*bin == '0' || *bin == '_')) {
 		++bin;
 		--len;
 	}
@@ -1892,7 +1892,7 @@ NEWLINE ("\r"|"\n"|"\r\n")
 	char *end, *hex = yytext + 2;
 
 	/* Skip any leading 0s */
-	while (*hex == '0' || *hex == '_') {
+	while (len > 0 && (*hex == '0' || *hex == '_')) {
 		++hex;
 		--len;
 	}
-- 
2.50.1