archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #81243: Too much memory is allocated for preg_replace()

Browse source 
Trimming a potentially over-allocated string appears to be reasonable,
so we drop the condition altogether.

We also re-allocate twice the size needed in the first place, and not
roughly tripple the size.

Closes GH-7231.
This commit is contained in:
Christoph M. Becker 2021-07-12 16:35:35 +02:00
parent bb43aa2ed3
commit a6b43086e6
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 36 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

32
ext/pcre/php_pcre.c
View file

@ -1719,7 +1719,7 @@ matched:
}
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
alloc_len = zend_safe_address_guarded(2, new_len, 0);
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -1805,14 +1805,12 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* now we know exactly how long it is */
alloc_len = result_len + subject_len - last_end_offset;
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);
@ -1959,7 +1957,7 @@ matched:
ZEND_ASSERT(eval_result);
new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len);
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
alloc_len = zend_safe_address_guarded(2, new_len, 0);
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -2016,14 +2014,12 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* now we know exactly how long it is */
alloc_len = result_len + subject_len - last_end_offset;
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);