php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch pcre_unicode_memory_corruption.patch for PCRE related Bug #79188

Patch version 2020-01-29 09:21 UTC

Return to Bug #79188 | Download this patch
Patch Revisions:

Developer: cschneid@php.net

diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 9305fca71c..2dbb807ec3 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1733,6 +1733,11 @@ matched:
 					if (start_offset < subject_len) {
 						size_t unit_len = calculate_unit_length(pce, piece);
 
+						new_len = result_len + unit_len;
+						if (new_len > alloc_len) {
+							alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
+							result = zend_string_extend(result, alloc_len, 0);
+						}
 						start_offset += unit_len;
 						memcpy(ZSTR_VAL(result) + result_len, piece, unit_len);
 						result_len += unit_len;
@@ -1945,6 +1950,11 @@ matched:
 					if (start_offset < subject_len) {
 						size_t unit_len = calculate_unit_length(pce, piece);
 
+						new_len = result_len + unit_len;
+						if (new_len > alloc_len) {
+							alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
+							result = zend_string_extend(result, alloc_len, 0);
+						}
 						start_offset += unit_len;
 						memcpy(ZSTR_VAL(result) + result_len, piece, unit_len);
 						result_len += unit_len;
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jun 01 20:01:24 2020 UTC