diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2020-01-29 11:44:56 +0100 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-01-29 11:48:34 +0100 |
commit | 91f878779cdad878ae664e2abad83a2967ae56d1 (patch) | |
tree | 279ca724c39874a91871841135b0f4a1b9c19f11 | |
parent | 5265fabc2501999dcfc1615980f25bce25d58e92 (diff) | |
download | php-git-91f878779cdad878ae664e2abad83a2967ae56d1.tar.gz |
Fix recovery of large entities in mb_decode_numericentity()
Make sure we don't overflow the integer.
-rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfilter.c | 8 | ||||
-rw-r--r-- | ext/mbstring/tests/mb_decode_numericentity.phpt | 8 |
2 files changed, 10 insertions, 6 deletions
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index 1cb6d28e7b..baaa4c3f36 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -2586,12 +2586,10 @@ collector_decode_htmlnumericentity(int c, void *data) (*pc->decoder->filter_function)(0x23, pc->decoder); /* '#' */ r = 1; n = pc->digit; - while (n > 0) { + while (n > 1) { r *= 10; n--; } - s %= r; - r /= 10; while (r > 0) { d = s/r; s %= r; @@ -2764,12 +2762,10 @@ int mbfl_filt_decode_htmlnumericentity_flush(mbfl_convert_filter *filter) s = pc->cache; r = 1; n = pc->digit; - while (n > 0) { + while (n > 1) { r *= 10; n--; } - s %= r; - r /= 10; while (r > 0) { d = s/r; s %= r; diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt index 6008ef9a9b..b6a7c622a6 100644 --- a/ext/mbstring/tests/mb_decode_numericentity.phpt +++ b/ext/mbstring/tests/mb_decode_numericentity.phpt @@ -14,8 +14,16 @@ $convmap = array(0x0, 0x2FFFF, 0, 0xFFFF); echo mb_decode_numericentity($str1, $convmap, "UTF-8")."\n"; echo mb_decode_numericentity($str2, $convmap, "UTF-8")."\n"; echo mb_decode_numericentity($str3, $convmap, "UTF-8")."\n"; + +echo mb_decode_numericentity('�', $convmap), "\n"; +echo mb_decode_numericentity('�', $convmap), "\n"; +echo mb_decode_numericentity('�', $convmap), "\n"; + ?> --EXPECT-- ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦ aŒbœcŠdše€fg +� +� +� |