Fix recovery of large entities in mb_decode_numericentity()

Make sure we don't overflow the integer.

2 files changed, 10 insertions, 6 deletions

diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
index 1cb6d28e7b..baaa4c3f36 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -2586,12 +2586,10 @@ collector_decode_htmlnumericentity(int c, void *data)
 			(*pc->decoder->filter_function)(0x23, pc->decoder);		/* '#' */
 			r = 1;
 			n = pc->digit;
-			while (n > 0) {
+			while (n > 1) {
 				r *= 10;
 				n--;
 			}
-			s %= r;
-			r /= 10;
 			while (r > 0) {
 				d = s/r;
 				s %= r;
@@ -2764,12 +2762,10 @@ int mbfl_filt_decode_htmlnumericentity_flush(mbfl_convert_filter *filter)
 			s = pc->cache;
 			r = 1;
 			n = pc->digit;
-			while (n > 0) {
+			while (n > 1) {
 				r *= 10;
 				n--;
 			}
-			s %= r;
-			r /= 10;
 			while (r > 0) {
 				d = s/r;
 				s %= r;
diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt
index 6008ef9a9b..b6a7c622a6 100644
--- a/ext/mbstring/tests/mb_decode_numericentity.phpt
+++ b/ext/mbstring/tests/mb_decode_numericentity.phpt
@@ -14,8 +14,16 @@ $convmap = array(0x0, 0x2FFFF, 0, 0xFFFF);
 echo mb_decode_numericentity($str1, $convmap, "UTF-8")."\n";
 echo mb_decode_numericentity($str2, $convmap, "UTF-8")."\n";
 echo mb_decode_numericentity($str3, $convmap, "UTF-8")."\n";
+
+echo mb_decode_numericentity('&#1000000000', $convmap), "\n";
+echo mb_decode_numericentity('&#10000000000', $convmap), "\n";
+echo mb_decode_numericentity('&#100000000000', $convmap), "\n";
+
 ?>
 --EXPECT--
 ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
 ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦
 aŒbœcŠdše€fg
+&#1000000000
+&#10000000000
+&#100000000000