Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16159
Return-Path: <kameshj@fastmail.fm>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37299 invoked by uid 1010); 2 May 2005 14:11:00 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 37284 invoked from network); 2 May 2005 14:11:00 -0000
Received: from unknown (HELO osu1.php.net) (127.0.0.1)
  by localhost with SMTP; 2 May 2005 14:11:00 -0000
X-Host-Fingerprint: 66.111.4.26 out2.smtp.messagingengine.com  
Received: from ([66.111.4.26:39913] helo=out2.smtp.messagingengine.com)
	by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP
	id 33/89-20032-2F436724 for <internals@lists.php.net>; Mon, 02 May 2005 10:10:59 -0400
Received: from web2.messagingengine.com (web2.internal [10.202.2.211])
	by frontend1.messagingengine.com (Postfix) with ESMTP id 1B55AC8838B;
	Mon,  2 May 2005 10:10:45 -0400 (EDT)
Received: by web2.messagingengine.com (Postfix, from userid 99)
	id 36AAF931; Mon,  2 May 2005 10:10:40 -0400 (EDT)
Message-ID: <1115043040.19690.233165900@webmail.messagingengine.com>
X-Sasl-Enc: 86Vu06eiktPm96lHDAcA5tjxrbiirSFMzz81zyg86v+R 1115043040
To: tsukada@fminn.nagano.nagano.jp, moriyoshi@php.net
Cc: internals@lists.php.net
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 1.5  (F2.73; T1.001; A1.64; B3.05; Q3.03)
Date: Mon, 02 May 2005 07:10:40 -0700
Subject: PATCH for possible segfault with mb_ereg_replace
From: kameshj@fastmail.fm ("Kamesh Jayachandran")

Hi Moriyoshi,
Function _php_mb_regex_ereg_replace_exec in php_mbregex.c returns
RETVAL_STRINGL((char *)out_buf.c, out_buf.len - 1, 0); //At the end of
the function
0 as the 3rd argument to RETVAL_STRINGL Macro does not duplicate the
content and sets a retval zval same as out_buf.c.

out_buf.c is allocated using malloc/realloc family not emalloc/erealloc.

While zval_ptr_dtor is called on mb_reg_replace's retval, calls
efree(which it should not.). Hence in the macro REMOVE_POINTER_FROM_LIST
		p->pLast->pNext = p->pNext;				\
line causes a seg fault.(As p->pLast is null or some strange pointer not
within the control of the running program)

Patch for 5.0 tree is available here
http://puggy.symonds.net/~kameshj/php_mbregex.c.patch


With regards
Kamesh Jayachandran