Fix #79154: mb_convert_encoding() can modify $from_encoding

We must not modify arrays passed by value.
author: Christoph M. Becker <cmbecker69@gmx.de> 2020-01-22 10:25:37 +0100
committer: Christoph M. Becker <cmbecker69@gmx.de> 2020-01-22 10:28:07 +0100
commit: 9be31a582a83c38cdace9d54778398bc9fe0c7a9 (patch)
tree: bac3f8d02c54a38017bcec24be65cb773a517564
parent: 5a9475f4b933aa5bfd16cd2a452ee57aec803dc4 (diff)
download: php-git-9be31a582a83c38cdace9d54778398bc9fe0c7a9.tar.gz
3 files changed, 41 insertions, 5 deletions
diff --git a/NEWS b/NEWS
index 3fd5bb055c..bbb3c919d1 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
   . Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
     (cmb)
 
+- MBString:
+  . Fixed bug #79154 (mb_convert_encoding() can modify $from_encoding). (cmb)
+
 - MySQLnd:
   . Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
     (cmb)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index a42373e5cb..d227bb278a 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3232,17 +3232,16 @@ PHP_FUNCTION(mb_convert_encoding)
 				_from_encodings = NULL;
 
 				ZEND_HASH_FOREACH_VAL(target_hash, hash_entry) {
-
-					convert_to_string_ex(hash_entry);
+					zend_string *encoding_str = zval_get_string(hash_entry);
 
 					if ( _from_encodings) {
 						l = strlen(_from_encodings);
-						n = strlen(Z_STRVAL_P(hash_entry));
+						n = strlen(ZSTR_VAL(encoding_str));
 						_from_encodings = erealloc(_from_encodings, l+n+2);
 						memcpy(_from_encodings + l, ",", 1);
-						memcpy(_from_encodings + l + 1, Z_STRVAL_P(hash_entry), Z_STRLEN_P(hash_entry) + 1);
+						memcpy(_from_encodings + l + 1, ZSTR_VAL(encoding_str), ZSTR_LEN(encoding_str) + 1);
 					} else {
-						_from_encodings = estrdup(Z_STRVAL_P(hash_entry));
+						_from_encodings = estrdup(ZSTR_VAL(encoding_str));
 					}
 				} ZEND_HASH_FOREACH_END();
 
diff --git a/ext/mbstring/tests/bug79154.phpt b/ext/mbstring/tests/bug79154.phpt
new file mode 100644
index 0000000000..dafac1bd5d
--- /dev/null
+++ b/ext/mbstring/tests/bug79154.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug 79154 (mb_convert_encoding() can modify $from_encoding)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('mbstring extension not available');
+?>
+--FILE--
+<?php
+class Utf8Encoding
+{
+    public function __toString()
+    {
+        return 'UTF-8';
+    }
+}
+
+$utf8encoding = new Utf8Encoding();
+$encodings = [$utf8encoding];
+var_dump($encodings);
+mb_convert_encoding('foo', 'UTF-8', $encodings);
+var_dump($encodings);
+
+?>
+--EXPECTF--
+array(1) {
+  [0]=>
+  object(Utf8Encoding)#%d (0) {
+  }
+}
+array(1) {
+  [0]=>
+  object(Utf8Encoding)#%d (0) {
+  }
+}
author	Christoph M. Becker <cmbecker69@gmx.de>	2020-01-22 10:25:37 +0100
committer	Christoph M. Becker <cmbecker69@gmx.de>	2020-01-22 10:28:07 +0100
commit	9be31a582a83c38cdace9d54778398bc9fe0c7a9 (patch)
tree	bac3f8d02c54a38017bcec24be65cb773a517564
parent	5a9475f4b933aa5bfd16cd2a452ee57aec803dc4 (diff)
download	php-git-9be31a582a83c38cdace9d54778398bc9fe0c7a9.tar.gz