archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-7.4' into PHP-8.0

Browse source 
* PHP-7.4:
  Fix #81243: Too much memory is allocated for preg_replace()
This commit is contained in:
Christoph M. Becker 2021-07-12 18:35:28 +02:00
commit 5fb5a739e2
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 36 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

1
NEWS
View file

@ -27,6 +27,7 @@ PHP NEWS
- PCRE:
. Fixed bug #81101 (PCRE2 10.37 shows unexpected result). (Anatol)
. Fixed bug #81243 (Too much memory is allocated for preg_replace()). (cmb)
- Reflection:
. Fixed bug #81208 (Segmentation fault while create newInstance from

32
ext/pcre/php_pcre.c
View file

@ -1716,7 +1716,7 @@ matched:
}
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
alloc_len = zend_safe_address_guarded(2, new_len, 0);
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -1802,14 +1802,12 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* now we know exactly how long it is */
alloc_len = result_len + subject_len - last_end_offset;
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);
@ -1956,7 +1954,7 @@ matched:
ZEND_ASSERT(eval_result);
new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len);
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
alloc_len = zend_safe_address_guarded(2, new_len, 0);
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -2013,14 +2011,12 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* now we know exactly how long it is */
alloc_len = result_len + subject_len - last_end_offset;
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);

21
ext/pcre/tests/bug81243.phpt Normal file
View file

@ -0,0 +1,21 @@
--TEST--
Bug #81243 (Too much memory is allocated for preg_replace())
--FILE--
<?php
$test_string = str_repeat('Eins zwei drei', 2000);
$replaced = preg_replace('/\s/', '-', $test_string);
$mem0 = memory_get_usage();
$replaced = str_repeat($replaced, 1);
$mem1 = memory_get_usage();
var_dump($mem0 == $mem1);
$replaced = preg_replace_callback('/\s/', function ($_) {return '-';}, $test_string);
$mem0 = memory_get_usage();
$replaced = str_repeat($replaced, 1);
$mem1 = memory_get_usage();
var_dump($mem0 == $mem1);
?>
--EXPECT--
bool(true)
bool(true)