Patch pcre_unicode_memory_corruption.patch for PCRE related Bug #79188
Patch version 2020-01-29 09:21 UTC
Return to Bug #79188 |
Download this patch
Patch Revisions:
Developer: cschneid@php.net
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index 9305fca71c..2dbb807ec3 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1733,6 +1733,11 @@ matched:
if (start_offset < subject_len) {
size_t unit_len = calculate_unit_length(pce, piece);
+ new_len = result_len + unit_len;
+ if (new_len > alloc_len) {
+ alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
+ result = zend_string_extend(result, alloc_len, 0);
+ }
start_offset += unit_len;
memcpy(ZSTR_VAL(result) + result_len, piece, unit_len);
result_len += unit_len;
@@ -1945,6 +1950,11 @@ matched:
if (start_offset < subject_len) {
size_t unit_len = calculate_unit_length(pce, piece);
+ new_len = result_len + unit_len;
+ if (new_len > alloc_len) {
+ alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
+ result = zend_string_extend(result, alloc_len, 0);
+ }
start_offset += unit_len;
memcpy(ZSTR_VAL(result) + result_len, piece, unit_len);
result_len += unit_len;
|
Copyright © 2001-2024 The PHP Group