Fix use of mb_ereg_search_getregs() after invalid pattern

nikic · nikic · commit 392ad206a4f6 · 2020-01-29T12:50:18.000+01:00
This segfaulted because we assumed that if there are matches,
there must be a regular expression as well.
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
@@ -1426,6 +1426,11 @@ _php_mb_regex_ereg_search_exec(INTERNAL_FUNCTION_PARAMETERS, int mode)
 		_php_mb_regex_init_options(arg_options, arg_options_len, &option, &syntax, NULL);
 	}
 
+	if (MBREX(search_regs)) {
+		onig_region_free(MBREX(search_regs), 1);
+		MBREX(search_regs) = NULL;
+	}
+
 	if (arg_pattern) {
 		/* create regex pattern buffer */
 		if ((MBREX(search_re) = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, option, MBREX(current_mbctype), MBREX(regex_default_syntax))) == NULL) {
@@ -1451,9 +1456,6 @@ _php_mb_regex_ereg_search_exec(INTERNAL_FUNCTION_PARAMETERS, int mode)
 		RETURN_FALSE;
 	}
 
-	if (MBREX(search_regs)) {
-		onig_region_free(MBREX(search_regs), 1);
-	}
 	MBREX(search_regs) = onig_region_new();
 
 	err = _php_mb_onig_search(MBREX(search_re), str, str + len, str + pos, str  + len, MBREX(search_regs), 0);
diff --git a/ext/mbstring/tests/mb_ereg_search_invalid_pattern.phpt b/ext/mbstring/tests/mb_ereg_search_invalid_pattern.phpt
@@ -0,0 +1,17 @@
+--TEST--
+mb_ereg_search() with invalid pattern should discard old matches
+--FILE--
+<?php
+
+mb_ereg_search_init('');
+var_dump(mb_ereg_search(''));
+var_dump(mb_ereg_search("\xff"));
+var_dump(mb_ereg_search_getregs());
+
+?>
+--EXPECTF--
+bool(true)
+
+Warning: mb_ereg_search(): Pattern is not valid under UTF-8 encoding in %s on line %d
+bool(false)
+bool(false)
