From b3b3491a691218a1773c9e193f0fba0a45e03139 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 3 Oct 2024 20:16:01 +0200 Subject: [PATCH] Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c libpcre2 can return the special value -1 for a non-match. In this case we get pointer overflow, although it doesn't matter in practice because the pointer will be in bounds and the copy length will be 0. Still, we should fix the UBSAN warning. --- ext/pcre/php_pcre.c | 8 +++++--- ext/pcre/tests/gh16184.phpt | 13 +++++++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 ext/pcre/tests/gh16184.phpt diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 4511d611d7a44..4c1d8db47c11b 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -1747,9 +1747,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su } if (preg_get_backref(&walk, &backref)) { if (backref < count) { - match_len = offsets[(backref<<1)+1] - offsets[backref<<1]; - memcpy(walkbuf, subject + offsets[backref<<1], match_len); - walkbuf += match_len; + if (offsets[backref<<1] < SIZE_MAX) { + match_len = offsets[(backref<<1)+1] - offsets[backref<<1]; + memcpy(walkbuf, subject + offsets[backref<<1], match_len); + walkbuf += match_len; + } } continue; } diff --git a/ext/pcre/tests/gh16184.phpt b/ext/pcre/tests/gh16184.phpt new file mode 100644 index 0000000000000..ba915d19af74b --- /dev/null +++ b/ext/pcre/tests/gh16184.phpt @@ -0,0 +1,13 @@ +--TEST-- +GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c) +--CREDITS-- +YuanchengJiang +--FILE-- + +--EXPECT-- +This test a string. It contains numbers * to 0* to 9* test well test parentheses and some other things*