php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32950 possible segfault with mb_ereg_replace
Submitted: 2005-05-05 08:38 UTC Modified: 2005-05-06 14:29 UTC
From: kameshj at fastmail dot fm Assigned:
Status: Not a bug Package: mbstring related
PHP Version: 5.0.4 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kameshj at fastmail dot fm
New email:
PHP Version: OS:

 

 [2005-05-05 08:38 UTC] kameshj at fastmail dot fm 
Description:
------------
Function _php_mb_regex_ereg_replace_exec in php_mbregex.c returns
RETVAL_STRINGL((char *)out_buf.c, out_buf.len - 1, 0); //At the end of the function
0 as the 3rd argument to RETVAL_STRINGL Macro does not duplicate the content and sets a retval zval same as out_buf.c.

out_buf.c is allocated using malloc/realloc family not emalloc/erealloc.

While zval_ptr_dtor is called on mb_reg_replace's retval, calls
efree(which it should not.). Hence in the macro REMOVE_POINTER_FROM_LIST
p->pLast->pNext = p->pNext; \
line causes a seg fault.(As p->pLast is null or some strange pointer not
within the control of the running program)
Patch for 5.0 tree is available here
http://puggy.symonds.net/~kameshj/php_mbregex.c.patch


Reproduce code:
---------------
<?php
echo mb_ereg_replace( ' ', '-', 'a b c d e' );
?>

Expected result:
----------------
a-b-c-d-e

Actual result:
--------------
Segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-05 19:50 UTC] moriyoshi@php.net 
That's not quite the case. smart_str actually uses 
emalloc() unless the macros are of the *_ex family and 
true is given to "what" parameter.

Could you give me any backtrace to see what was going 
on?
 [2005-05-06 10:18 UTC] kameshj at fastmail dot fm 
Sorry my mistake.
In out build system we accidentally used 
-DSMART_STR_USE_REALLOC=1 because of that realloc is used for allocation. zval_ptr_dtor calles efree on a non erealloced pointer.
After removal it works fine.
 [2005-05-06 10:20 UTC] kameshj at fastmail dot fm 
Closing this as Not a defect.
 [2005-05-06 14:29 UTC] derick@php.net 
Not a bug in PHP -> status: Bogus
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 15:01:29 2024 UTC