From aaa295fa3517f452c074c3ed718262cda68c19bb Mon Sep 17 00:00:00 2001
From: Jani Taskinen <jani@php.net>
Date: Fri, 16 Nov 2007 12:28:34 +0000
Subject: [PATCH] MFH:- Fixed bug #43301 (mb_ereg*_replace() crashes when
 replacement string is invalid PHP expression and 'e' option is used)

---
 NEWS                             |  2 ++
 ext/mbstring/php_mbregex.c       |  7 ++++++-
 ext/mbstring/tests/bug43301.phpt | 21 +++++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 ext/mbstring/tests/bug43301.phpt

diff --git a/NEWS b/NEWS
index 142edb032b..90f361659e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2008, PHP 5.2.6
+- Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid
+  PHP expression and 'e' option is used). (Jani)
 - Fixed bug #43293 (Multiple segfaults in getopt()). (Hannes)
 - Fixed bug #43279 (pg_send_query_params() converts all elements in 'params' 
   to strings). (Ilia)
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 81b39b1bd8..99e1a5fde7 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -737,7 +737,12 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 				/* null terminate buffer */
 				smart_str_appendc(&eval_buf, '\0');
 				/* do eval */
-				zend_eval_string(eval_buf.c, &v, description TSRMLS_CC);
+				if (zend_eval_string(eval_buf.c, &v, description TSRMLS_CC) == FAILURE) {
+					efree(description);
+					php_error_docref(NULL TSRMLS_CC,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, eval_buf.c);
+					/* zend_error() does not return in this case */
+				}
+
 				/* result of eval */
 				convert_to_string(&v);
 				smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v));
diff --git a/ext/mbstring/tests/bug43301.phpt b/ext/mbstring/tests/bug43301.phpt
new file mode 100644
index 0000000000..71b169c12c
--- /dev/null
+++ b/ext/mbstring/tests/bug43301.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+
+$ptr = 'hello';
+
+$txt = <<<doc
+hello, I have got a cr*sh on you
+doc;
+
+echo mb_ereg_replace($ptr,'$1',$txt,'e');
+
+?>
+--EXPECTF--
+Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in %s/bug43301.php(%d) : mbregex replace on line 1
+
+Fatal error: mb_ereg_replace(): Failed evaluating code: 
+$1 in %s/bug43301.php on line %d
-- 
2.50.1