Fix #75457: heap-use-after-free in php7.0.25

cmb69 · smalyshev · commit 7bf1f9d56182 · 2019-08-25T19:19:50.000-07:00
Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.
diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
@@ -483,7 +483,7 @@ static const char error_texts[] =
   "lookbehind assertion is not fixed length\0"
   "malformed number or name after (?(\0"
   "conditional group contains more than two branches\0"
-  "assertion expected after (?(\0"
+  "assertion expected after (?( or (?(?C)\0"
   "(?R or (?[+-]digits must be followed by )\0"
   /* 30 */
   "unknown POSIX class name\0"
@@ -6732,6 +6732,15 @@ for (;; ptr++)
           for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
           if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
             tempptr += i + 1;
+
+          /* tempptr should now be pointing to the opening parenthesis of the
+          assertion condition. */
+
+          if (*tempptr != CHAR_LEFT_PARENTHESIS)
+            {
+            *errorcodeptr = ERR28;
+            goto FAILED;
+            }
           }
 
         /* For conditions that are assertions, check the syntax, and then exit
diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #75457 (heap-use-after-free in php7.0.25)
+--FILE--
+<?php
+$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
+var_dump(preg_match($pattern, "hello"));
+?>
+--EXPECTF--
+Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
+bool(false)
