Merge branch 'PHP-7.1' into PHP-7.2

smalyshev · smalyshev · commit 402adc1df135 · 2019-03-28T00:35:22.000-07:00
* PHP-7.1:
  Validate subject encoding in mb_split and mb_ereg_match
  Validate pattern against mbregex encoding
  SQLite3: add DEFENSIVE config for SQLite &gt;= 3.26.0 as a mitigation strategy against potential security flaws
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
@@ -448,13 +448,18 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 	OnigErrorInfo err_info;
 	OnigUChar err_str[ONIG_MAX_ERROR_MESSAGE_LEN];
 
+	if (!php_mb_check_encoding(pattern, patlen, _php_mb_regex_mbctype2name(enc))) {
+		php_error_docref(NULL, E_WARNING,
+			"Pattern is not valid under %s encoding", _php_mb_regex_mbctype2name(enc));
+		return NULL;
+	}
+
 	rc = zend_hash_str_find_ptr(&MBREX(ht_rc), (char *)pattern, patlen);
 	if (!rc || onig_get_options(rc) != options || onig_get_encoding(rc) != enc || onig_get_syntax(rc) != syntax) {
 		if ((err_code = onig_new(&retval, (OnigUChar *)pattern, (OnigUChar *)(pattern + patlen), options, enc, syntax, &err_info)) != ONIG_NORMAL) {
 			onig_error_code_to_str(err_str, err_code, &err_info);
 			php_error_docref(NULL, E_WARNING, "mbregex compile err: %s", err_str);
-			retval = NULL;
-			goto out;
+			return NULL;
 		}
 		if (rc == MBREX(search_re)) {
 			/* reuse the new rc? see bug #72399 */
@@ -464,7 +469,6 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 	} else {
 		retval = rc;
 	}
-out:
 	return retval;
 }
 /* }}} */
@@ -1107,6 +1111,11 @@ PHP_FUNCTION(mb_split)
 		count--;
 	}
 
+	if (!php_mb_check_encoding(string, string_len,
+			_php_mb_regex_mbctype2name(MBREX(current_mbctype)))) {
+		RETURN_FALSE;
+	}
+
 	/* create regex pattern buffer */
 	if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, MBREX(regex_default_options), MBREX(current_mbctype), MBREX(regex_default_syntax))) == NULL) {
 		RETURN_FALSE;
@@ -1196,6 +1205,11 @@ PHP_FUNCTION(mb_ereg_match)
 		}
 	}
 
+	if (!php_mb_check_encoding(string, string_len,
+			_php_mb_regex_mbctype2name(MBREX(current_mbctype)))) {
+		RETURN_FALSE;
+	}
+
 	if ((re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, option, MBREX(current_mbctype), syntax)) == NULL) {
 		RETURN_FALSE;
 	}
diff --git a/ext/mbstring/tests/bug72994.phpt b/ext/mbstring/tests/bug72994.phpt
@@ -14,6 +14,6 @@ var_dump($var1);
 --EXPECTF--
 Notice: Undefined variable: var in %s on line %d
 
-Warning: mbereg_replace(): mbregex compile err: invalid code point value in %sbug72994.php on line %d
+Warning: mbereg_replace(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
 ===DONE===
diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
@@ -7,5 +7,5 @@ Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
 var_dump(mb_split("   \xfd",""));
 ?>
 --EXPECTF--
-Warning: mb_split(): mbregex compile err: invalid code point value in %sbug77370.php on line %d
+Warning: mb_split(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
@@ -7,5 +7,5 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
 var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));
 ?>
 --EXPECTF--
-Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77371.php on line %d
+Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt
@@ -10,14 +10,14 @@ var_dump(mb_ereg("0000\\"."\xf5","0"));
 var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));
 ?>
 --EXPECTF--
-Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d
+Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
 
-Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d
+Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
 
-Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d
+Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
 
-Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d
+Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt
@@ -1,5 +1,5 @@
 --TEST--
-Bug #77371 (Heap overflow in utf32be_mbc_to_code)
+Bug #77418 (Heap overflow in utf32be_mbc_to_code)
 --SKIPIF--
 <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
 --FILE--
@@ -8,7 +8,4 @@ mb_regex_encoding("UTF-32");
 var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
 ?>
 --EXPECT--
-array(1) {
-  [0]=>
-  string(30) "000000000000000000000000000000"
-}
+bool(false)
diff --git a/ext/mbstring/tests/mb_ereg_replace_variation1.phpt b/ext/mbstring/tests/mb_ereg_replace_variation1.phpt
@@ -110,15 +110,15 @@ string(10) "string_val"
 
 -- Iteration 4 --
 
-Warning: mb_ereg_replace(): mbregex compile err: invalid code point value in %smb_ereg_replace_variation1.php on line %d
+Warning: mb_ereg_replace(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
 
 -- Iteration 5 --
 string(10) "string_val"
 
 -- Iteration 6 --
 
-Warning: mb_ereg_replace(): mbregex compile err: invalid code point value in %smb_ereg_replace_variation1.php on line %d
+Warning: mb_ereg_replace(): Pattern is not valid under UTF-8 encoding in %s on line %d
 bool(false)
 
 -- Iteration 7 --
