]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0f79b1b)
Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
authorStanislav Malyshev <stas@php.net>
Tue, 21 Jan 2020 05:42:44 +0000 (21:42 -0800)
committerStanislav Malyshev <stas@php.net>
Tue, 21 Jan 2020 05:43:42 +0000 (21:43 -0800)
ext/mbstring/libmbfl/filters/mbfilter_big5.c patch | blob | history
ext/mbstring/tests/bug79037.phpt [new file with mode: 0644] patch | blob

diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
index f5ab8809ce8a799bd40bda74606f181fcef36c75..5e1ca815da31ed68db2baae2b3d38699b546ca83 100644 (file)
--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = {
        {0xf70f,0xf848,0xc740,0xc8fe},
 };
 
+static inline int is_in_cp950_pua(int c1, int c) {
+       if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
+                       (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
+               return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
+       }
+       if (c1 == 0xc6) {
+               return c >= 0xa1 && c <= 0xfe;
+       }
+       return 0;
+}
+
 /*
  * Big5 => wchar
  */
@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter)
 
                        if (filter->from->no_encoding == mbfl_no_encoding_cp950) {
                                /* PUA for CP950 */
-                               if (w <= 0 &&
-                                       (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
-                                         (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8))
-                                        && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) ||
-                                       ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) {
+                               if (w <= 0 && is_in_cp950_pua(c1, c)) {
                                        c2 = c1 << 8 | c;
                                        for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) {
                                                if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) {
diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt
new file mode 100644 (file)
index 0000000..94ff01a
--- /dev/null
+++ b/ext/mbstring/tests/bug79037.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
+--FILE--
+<?php
+
+var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
+
+?>
+--EXPECT--
+string(1) "?"
Unnamed repository; edit this file 'description' to name the repository.