From ae3b2078eac226c61bc325527e607ad275936d22 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 13 Aug 2016 11:39:16 +0200
Subject: [PATCH] Fix #72823: strtr out-of-bound access

If php_strtr_array_prepare_repls() reports pattern_len == 0, we return
early to avoid OOB accesses, and because there is nothing to replace anyway.
---
 NEWS                                     |  3 +++
 ext/standard/string.c                    |  8 +++++++-
 ext/standard/tests/strings/bug72823.phpt | 12 ++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/strings/bug72823.phpt

diff --git a/NEWS b/NEWS
index 90215cdbfc..7bf6fbf3f7 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,9 @@ PHP                                                                        NEWS
   . Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY
     returns false). (cmb)
 
+- Standard:
+  . Fixed bug #72823 (strtr out-of-bound access). (cmb)
+
 18 Aug 2016, PHP 5.6.25
 
 - Core:
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 1ecbdb97ce..9498496fce 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2989,7 +2989,7 @@ static PPRES *php_strtr_array_prepare(STR *text, PATNREPL *patterns, int patnum,
 			res->m = L(&patterns[i].pat);
 		}
 	}
-	assert(res->m > 0);
+	assert(res->m > 0 && res->m != (STRLEN)-1);
 	res->B	= B		= MIN(B, res->m);
 	res->Bp	= Bp	= MIN(Bp, res->m);
 
@@ -3131,6 +3131,12 @@ static void php_strtr_array(zval *return_value, char *str, int slen, HashTable *
 	if (patterns == NULL) {
 		RETURN_FALSE;
 	}
+	if (patterns_len == 0) {
+		efree(patterns);
+		zend_llist_destroy(allocs);
+		efree(allocs);
+		RETURN_STRINGL(str, slen, 1);
+	}
 	data = php_strtr_array_prepare(&text, patterns, patterns_len, 2, 2);
 	efree(patterns);
 	php_strtr_array_do_repl(&text, data, return_value);
diff --git a/ext/standard/tests/strings/bug72823.phpt b/ext/standard/tests/strings/bug72823.phpt
new file mode 100644
index 0000000000..d0aaf0fd35
--- /dev/null
+++ b/ext/standard/tests/strings/bug72823.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72823 (strtr out-of-bound access)
+--FILE--
+<?php
+var_dump(
+    strtr(11, array('aaa' => 'bbb'))
+);
+?>
+===DONE===
+--EXPECT--
+string(2) "11"
+===DONE===
-- 
2.40.0