archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #81243: Too much memory is allocated for preg_replace()

Browse source 
Trimming a potentially over-allocated string appears to be reasonable,
so we drop the condition altogether.

We also re-allocate twice the size needed in the first place, and not
roughly tripple the size.

Closes GH-7231.
This commit is contained in:
Christoph M. Becker 2021-07-12 16:35:35 +02:00
parent bb43aa2ed3
commit a6b43086e6
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 36 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

1
NEWS
View file

@ -25,6 +25,7 @@ PHP NEWS
- PCRE:
. Fixed bug #81101 (PCRE2 10.37 shows unexpected result). (Anatol)
. Fixed bug #81243 (Too much memory is allocated for preg_replace()). (cmb)
- Standard:
. Fixed bug #81223 (flock() only locks first byte of file). (cmb)

16
ext/pcre/php_pcre.c
View file

@ -1719,7 +1719,7 @@ matched:
}
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
alloc_len = zend_safe_address_guarded(2, new_len, 0);
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -1805,15 +1805,13 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
/* now we know exactly how long it is */
alloc_len = result_len + subject_len - last_end_offset;
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);
result_len += subject_len - last_end_offset;
@ -1959,7 +1957,7 @@ matched:
ZEND_ASSERT(eval_result);
new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len);
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
alloc_len = zend_safe_address_guarded(2, new_len, 0);
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -2016,15 +2014,13 @@ not_matched:
result = zend_string_copy(subject_str);
break;
}
new_len = result_len + subject_len - last_end_offset;
if (new_len >= alloc_len) {
alloc_len = new_len; /* now we know exactly how long it is */
/* now we know exactly how long it is */
alloc_len = result_len + subject_len - last_end_offset;
if (NULL != result) {
result = zend_string_realloc(result, alloc_len, 0);
} else {
result = zend_string_alloc(alloc_len, 0);
}
}
/* stick that last bit of string on our output */
memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - last_end_offset);
result_len += subject_len - last_end_offset;

21
ext/pcre/tests/bug81243.phpt Normal file
View file

@ -0,0 +1,21 @@
--TEST--
Bug #81243 (Too much memory is allocated for preg_replace())
--FILE--
<?php
$test_string = str_repeat('Eins zwei drei', 2000);
$replaced = preg_replace('/\s/', '-', $test_string);
$mem0 = memory_get_usage();
$replaced = str_repeat($replaced, 1);
$mem1 = memory_get_usage();
var_dump($mem0 == $mem1);
$replaced = preg_replace_callback('/\s/', function ($_) {return '-';}, $test_string);
$mem0 = memory_get_usage();
$replaced = str_repeat($replaced, 1);
$mem1 = memory_get_usage();
var_dump($mem0 == $mem1);
?>
--EXPECT--
bool(true)
bool(true)