Better overflow check for entity decoding

author Nikita Popov <nikita.ppv@gmail.com>

Wed, 29 Jan 2020 13:22:45 +0000 (14:22 +0100)

committer Nikita Popov <nikita.ppv@gmail.com>

Wed, 29 Jan 2020 15:08:46 +0000 (16:08 +0100)
author Nikita Popov <nikita.ppv@gmail.com>
Wed, 29 Jan 2020 13:22:45 +0000 (14:22 +0100)
committer Nikita Popov <nikita.ppv@gmail.com>
Wed, 29 Jan 2020 15:08:46 +0000 (16:08 +0100)
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c

index baaa4c3f36095562001328dbdab3a370cbb37f50..cec6daad945d54a3d948f5c6f53fe5016df86a3c 100644 (file)
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -86,6 +86,7 @@
  
  #include <stddef.h>
  #include <string.h>
+#include <limits.h>
  
  #include "mbfilter.h"
  #include "mbfl_filter_output.h"
@@ -2552,12 +2553,12 @@ collector_decode_htmlnumericentity(int c, void *data)
                 s = 0;
                 f = 0;
                 if (c >= 0x30 && c <= 0x39) {   /* '0' - '9' */
-                       if (pc->digit > 9) {
+                       s = pc->cache;
+                       if (s > INT_MAX/10) {
                                 pc->status = 0;
-                               s = pc->cache;
                                 f = 1;
                         } else {
-                               s = pc->cache*10 + c - 0x30;
+                               s = s*10 + (c - 0x30);
                                 pc->cache = s;
                                 pc->digit++;
                         }
diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt

index b6a7c622a668cd5ab710b3643ca97130c7a46125..c728e2aa6927dea4541f9465fcd1522be9f0e253 100644 (file)
--- a/ext/mbstring/tests/mb_decode_numericentity.phpt
+++ b/ext/mbstring/tests/mb_decode_numericentity.phpt
@@ -16,6 +16,7 @@ echo mb_decode_numericentity($str2, $convmap, "UTF-8")."\n";
  echo mb_decode_numericentity($str3, $convmap, "UTF-8")."\n";
  
  echo mb_decode_numericentity('&#1000000000', $convmap), "\n";
+echo mb_decode_numericentity('&#9000000000', $convmap), "\n";
  echo mb_decode_numericentity('&#10000000000', $convmap), "\n";
  echo mb_decode_numericentity('&#100000000000', $convmap), "\n";
  
@@ -25,5 +26,6 @@ echo mb_decode_numericentity('&#100000000000', $convmap), "\n";
  ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦
  aŒbœcŠdše€fg
  &#1000000000
+&#9000000000
  &#10000000000
  &#100000000000
author	Nikita Popov <nikita.ppv@gmail.com>
	Wed, 29 Jan 2020 13:22:45 +0000 (14:22 +0100)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Wed, 29 Jan 2020 15:08:46 +0000 (16:08 +0100)
ext/mbstring/libmbfl/mbfl/mbfilter.c		patch \| blob \| history
ext/mbstring/tests/mb_decode_numericentity.phpt		patch \| blob \| history