From 4f53cacbd34f0ab14174ed231d65c394a0da5b74 Mon Sep 17 00:00:00 2001
From: Jakob Erdmann <devel@deroin.de>
Date: Mon, 20 Jun 2016 12:00:32 +0200
Subject: [PATCH] Fix pcre segmentation fault in Zend_Db_Statement

---
 library/Zend/Db/Statement.php          |  6 +++---
 tests/Zend/Db/Statement/MysqliTest.php | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/library/Zend/Db/Statement.php b/library/Zend/Db/Statement.php
index be5e2d5912..ffc5d766da 100644
--- a/library/Zend/Db/Statement.php
+++ b/library/Zend/Db/Statement.php
@@ -191,13 +191,13 @@ protected function _stripQuoted($sql)
         if (!empty($q)) {
             $escapeChar = preg_quote($escapeChar);
             // this segfaults only after 65,000 characters instead of 9,000
-            $sql = preg_replace("/$q([^$q{$escapeChar}]*|($qe)*)*$q/s", '', $sql);
+            $sql = preg_replace("/$q(?:[^$q{$escapeChar}]*|(?:$qe)*)*$q/s", '', $sql);
         }
         
         // get a version of the SQL statement with all quoted
         // values and delimited identifiers stripped out
         // remove "foo\"bar"
-        $sql = preg_replace("/\"(\\\\\"|[^\"])*\"/Us", '', $sql);
+        $sql = preg_replace("/\".*(?<!\\\\)\"/Us", '', $sql);
 
         // get the character for delimited id quotes,
         // this is usually " but in MySQL is `
@@ -209,7 +209,7 @@ protected function _stripQuoted($sql)
         $de = substr($de, 1, 2);
         $de = preg_quote($de);
         // Note: $de and $d where never used..., now they are:
-        $sql = preg_replace("/$d($de|\\\\{2}|[^$d])*$d/Us", '', $sql);
+        $sql = preg_replace("/$d(?:$de|\\\\{2}|[^$d])*$d/Us", '', $sql);
         return $sql;
     }
 
diff --git a/tests/Zend/Db/Statement/MysqliTest.php b/tests/Zend/Db/Statement/MysqliTest.php
index 83e1c3fd97..a129c08166 100644
--- a/tests/Zend/Db/Statement/MysqliTest.php
+++ b/tests/Zend/Db/Statement/MysqliTest.php
@@ -149,6 +149,22 @@ public function testStripQuoted()
             $this->assertSame($out, $actual, $count . ' - unexpected output');
         }
     }
+
+    public function testStripQuotedForLongQuery()
+    {
+        $statementClass = 'Zend_Db_Statement_' . $this->getDriver();
+
+        $table = $this->_db->quoteIdentifier('zfproducts');
+        $column = $this->_db->quoteIdentifier('product_name');
+
+        $sql = 'SELECT * FROM `zfproducts` WHERE `product_name` = "%s"';
+
+        $columnContent = str_repeat('a', 15000) . '\\"' . str_repeat('b', 15000);
+        $sql = sprintf($sql, $columnContent);
+
+        $stmt = new $statementClass($this->_db, $sql);
+        $this->assertNotNull($stmt->getDriverStatement());
+    }
     
     public function testStatementRowCount()
     {