Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
  Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c
This commit is contained in:
Niels Dossche 2024-10-03 21:11:25 +02:00
commit ddc7a6b1fc
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
3 changed files with 21 additions and 4 deletions

4
NEWS
View file

@ -40,7 +40,9 @@ PHP NEWS
. Fixed stub for openssl_csr_new. (Jakub Zelenka) . Fixed stub for openssl_csr_new. (Jakub Zelenka)
- PCRE: - PCRE:
. Fixed GH-16189 (underflow on offset argument). (David Carlier) . Fixed bug GH-16189 (underflow on offset argument). (David Carlier)
. Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
(nielsdos)
- PHPDBG: - PHPDBG:
. Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb) . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)

View file

@ -1728,10 +1728,12 @@ matched:
} }
if (preg_get_backref(&walk, &backref)) { if (preg_get_backref(&walk, &backref)) {
if (backref < count) { if (backref < count) {
if (offsets[backref<<1] < SIZE_MAX) {
match_len = offsets[(backref<<1)+1] - offsets[backref<<1]; match_len = offsets[(backref<<1)+1] - offsets[backref<<1];
memcpy(walkbuf, subject + offsets[backref<<1], match_len); memcpy(walkbuf, subject + offsets[backref<<1], match_len);
walkbuf += match_len; walkbuf += match_len;
} }
}
continue; continue;
} }
} }

View file

@ -0,0 +1,13 @@
--TEST--
GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c)
--CREDITS--
YuanchengJiang
--FILE--
<?php
$string = 'This is a string. It contains numbers (0*9) as well as parentheses and some other things!';
echo preg_replace(array('/\b\w{1}s/', '/(\d{1})*(\d{1})/', '/[\(!\)]/'), array('test', '$1 to $2', '*'), $string), "\n";
?>
--EXPECT--
This test a string. It contains numbers * to 0* to 9* test well test parentheses and some other things*