MFH:- Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is

invalid PHP expression and 'e' option is used)

NEWS

@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2008, PHP 5.2.6
+- Fixed bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid
+  PHP expression and 'e' option is used). (Jani)
 - Fixed bug #43293 (Multiple segfaults in getopt()). (Hannes)
 - Fixed bug #43279 (pg_send_query_params() converts all elements in 'params' 
   to strings). (Ilia)

ext/mbstring/php_mbregex.c

@@ -737,7 +737,12 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 				/* null terminate buffer */
 				smart_str_appendc(&eval_buf, '\0');
 				/* do eval */
-				zend_eval_string(eval_buf.c, &v, description TSRMLS_CC);
+				if (zend_eval_string(eval_buf.c, &v, description TSRMLS_CC) == FAILURE) {
+					efree(description);
+					php_error_docref(NULL TSRMLS_CC,E_ERROR, "Failed evaluating code: %s%s", PHP_EOL, eval_buf.c);
+					/* zend_error() does not return in this case */
+				}
+
 				/* result of eval */
 				convert_to_string(&v);
 				smart_str_appendl(&out_buf, Z_STRVAL(v), Z_STRLEN(v));

ext/mbstring/tests/bug43301.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+
+$ptr = 'hello';
+
+$txt = <<<doc
+hello, I have got a cr*sh on you
+doc;
+
+echo mb_ereg_replace($ptr,'$1',$txt,'e');
+
+?>
+--EXPECTF--
+Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in %s/bug43301.php(%d) : mbregex replace on line 1
+
+Fatal error: mb_ereg_replace(): Failed evaluating code: 
+$1 in %s/bug43301.php on line %d