Hi,
When testing v7.2.1 on s390x two cases are found crash:
- ext/mbstring/tests/mb_ereg.phpt ;
- ext/mbstring/tests/mb_ereg_variation5.phpt] ;
It happens at /home/work/php/php/ext/mbstring/oniguruma/src/regexec.c:2481,
here is the code (replaced the macros):
2474 case OP_STATE_CHECK_PUSH: MOP_IN(OP_STATE_CHECK_PUSH);
2475 GET_STATE_CHECK_NUM_INC(mem, p);
2476 // STATE_CHECK_VAL(scv, mem);
2477 do {
2478 if (state_check_buff != NULL) {
2479 // int x = STATE_CHECK_POS(s,mem);
2480 int x = (((s) - str) * num_comb_exp_check + ((mem) - 1));
2481 (scv) = state_check_buff[x/8] & (1<<(x%8));
2482 }
2483 else (scv) = 0;
2484 } while(0);
2485
(gdb) p x
$1 = 196680
(gdb) p x/8
$2 = 24585
However the array "state_check_buff" index is 0--20311.
"mem" is come from the macro "GET_STATE_CHECK_NUM_INC", which refers to
"StateCheckNumType",
Here is the definition of StateCheckNumType: in
ext/mbstring/oniguruma/src/regint.h
...
530 typedef int MemNumType;
531 typedef short int StateCheckNumType;
532 typedef void* PointerType;
...
Not understanding why StateCheckNumType is defined as short int, but
others are all int.
If change it as "int", two crashes are gone and 5 cases related to
"mb_ereg() " are passed.
Testing on x86_64 show 5 cases are alos passed (same as before).
Thanks,
Sam