22244227 problem in UTILITY/PHP
21577672 problem in UTILITY/PHP
22244239 problem in UTILITY/PHP
22244245 problem in UTILITY/PHP
22244247 problem in UTILITY/PHP
22244253 problem in UTILITY/PHP
22244256 problem in UTILITY/PHP
22244261 problem in UTILITY/PHP
22244265 problem in UTILITY/PHP
22244270 problem in UTILITY/PHP
22244277 problem in UTILITY/PHP
22244286 problem in UTILITY/PHP
# Source: upstream
# http://git.php.net/?p=php-src.git;a=patch;h=03964892c054d0c736414c10b3edc7a40318b975
# https://bugs.php.net/bug.php?id=70345
# Security
# Patch regenerated
--- ./php_pcre.c.orig 2015-09-11 14:09:24.834992504 -0700
+++ php-5.6.8/ext/pcre/php_pcre.c 2015-09-11 14:09:35.050782098 -0700
@@ -681,7 +681,7 @@
/* If subpatterns array has been passed, fill it in with values. */
if (subpats != NULL) {
/* Try to get the list of substrings and display a warning if failed. */
- if (pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) {
+ if ((offsets[1] - offsets[0] < 0) || pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) {
efree(subpat_names);
efree(offsets);
if (match_sets) efree(match_sets);
@@ -1136,7 +1136,7 @@
piece = subject + start_offset;
- if (count > 0 && (limit == -1 || limit > 0)) {
+ if (count > 0 && (offsets[1] - offsets[0] >= 0) && (limit == -1 || limit > 0)) {
if (replace_count) {
++*replace_count;
}
@@ -1589,7 +1589,7 @@
}
/* If something matched */
- if (count > 0) {
+ if (count > 0 && (offsets[1] - offsets[0] >= 0)) {
if (!no_empty || &subject[offsets[0]] != last_match) {
if (offset_capture) {
diff --git a/ext/pcre/tests/bug70345.phpt b/ext/pcre/tests/bug70345.phpt
new file mode 100644
index 0000000..0947ba3
--- /dev/null
+++ b/ext/pcre/tests/bug70345.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #70345 (Multiple vulnerabilities related to PCRE functions)
+--FILE--
+<?php
+$regex = '/(?=xyz\K)/';
+$subject = "aaaaxyzaaaa";
+
+$v = preg_split($regex, $subject);
+print_r($v);
+
+$regex = '/(a(?=xyz\K))/';
+$subject = "aaaaxyzaaaa";
+preg_match($regex, $subject, $matches);
+
+var_dump($matches);
+--EXPECTF--
+Array
+(
+ [0] => aaaaxyzaaaa
+)
+
+Warning: preg_match(): Get subpatterns list failed in %s on line %d
+array(0) {
+}
--
2.1.4