php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32950 possible segfault with mb_ereg_replace
Submitted: 2005-05-05 08:38 UTC Modified: 2005-05-06 14:29 UTC
From: kameshj at fastmail dot fm Assigned:
Status: Not a bug Package: mbstring related
PHP Version: 5.0.4 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2005-05-05 08:38 UTC] kameshj at fastmail dot fm 
Description:
------------
Function _php_mb_regex_ereg_replace_exec in php_mbregex.c returns
RETVAL_STRINGL((char *)out_buf.c, out_buf.len - 1, 0); //At the end of the function
0 as the 3rd argument to RETVAL_STRINGL Macro does not duplicate the content and sets a retval zval same as out_buf.c.

out_buf.c is allocated using malloc/realloc family not emalloc/erealloc.

While zval_ptr_dtor is called on mb_reg_replace's retval, calls
efree(which it should not.). Hence in the macro REMOVE_POINTER_FROM_LIST
p->pLast->pNext = p->pNext; \
line causes a seg fault.(As p->pLast is null or some strange pointer not
within the control of the running program)
Patch for 5.0 tree is available here
http://puggy.symonds.net/~kameshj/php_mbregex.c.patch


Reproduce code:
---------------
<?php
echo mb_ereg_replace( ' ', '-', 'a b c d e' );
?>

Expected result:
----------------
a-b-c-d-e

Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-05 19:50 UTC] moriyoshi@php.net 
That's not quite the case. smart_str actually uses 
emalloc() unless the macros are of the *_ex family and 
true is given to "what" parameter.

Could you give me any backtrace to see what was going 
on?
 [2005-05-06 10:18 UTC] kameshj at fastmail dot fm 
Sorry my mistake.
In out build system we accidentally used 
-DSMART_STR_USE_REALLOC=1 because of that realloc is used for allocation. zval_ptr_dtor calles efree on a non erealloced pointer.
After removal it works fine.
 [2005-05-06 10:20 UTC] kameshj at fastmail dot fm 
Closing this as Not a defect.
 [2005-05-06 14:29 UTC] derick@php.net 
Not a bug in PHP -> status: Bogus
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Thu Jun 01 06:03:42 2023 UTC