Fix bug #66873: check if obj->src is set

diff --git a/NEWS b/NEWS
index e2d04b5eb85bd71b0b740aa830c12ee4bad5576e..8a5cf7303554a1c5a7f9a6b18359eac1118e1377 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -29,11 +29,15 @@ PHP                                                                        NEWS
   . hash_pbkdf2() now works correctly if the $length argument is not specified.
     (Nikita)
 
+- Intl:
+  . Fixed bug #66873 (A reproductible crash in UConverter when given invalid 
+    encoding) (Stas)
+
 - Mail:
   . Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)
 
 - MySQLi:
-  . Fixed bug #66762i (Segfault in mysqli_stmt::bind_result() when link closed)
+  . Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
   (Remi)
 
 - OPCache

diff --git a/ext/intl/converter/converter.c b/ext/intl/converter/converter.c
index 5f2d1e7fa797a5f7c38cbb9879922007aac22c9f..a3381bf78e4ee7a4fdc4375878a0ab0b0eaffb9f 100644 (file)
--- a/ext/intl/converter/converter.c
+++ b/ext/intl/converter/converter.c
@@ -57,6 +57,8 @@ static inline void php_converter_throw_failure(php_converter_object *objval, UEr
 
 /* {{{ php_converter_default_callback */
 static void php_converter_default_callback(zval *return_value, zval *zobj, long reason, zval *error TSRMLS_DC) {
+       zval_dtor(error);
+       ZVAL_LONG(error, U_ZERO_ERROR);
        /* Basic functionality so children can call parent::toUCallback() */
        switch (reason) {
                case UCNV_UNASSIGNED:
@@ -66,7 +68,16 @@ static void php_converter_default_callback(zval *return_value, zval *zobj, long
                        php_converter_object *objval = (php_converter_object*)CONV_GET(zobj);
                        char chars[127];
                        int8_t chars_len = sizeof(chars);
-                       UErrorCode error = U_ZERO_ERROR;
+                       UErrorCode uerror = U_ZERO_ERROR;
+            if(!objval->src) {
+                php_converter_throw_failure(objval, U_INVALID_STATE_ERROR TSRMLS_CC, "Source Converter has not been initialized yet");
+                               chars[0] = 0x1A;
+                               chars[1] = 0;
+                               chars_len = 1;
+                ZVAL_LONG(error, U_INVALID_STATE_ERROR);
+                RETVAL_STRINGL(chars, chars_len, 1);
+                return;
+            }
 
                        /* Yes, this is fairly wasteful at first glance,
                         * but considering that the alternative is to store
@@ -75,18 +86,17 @@ static void php_converter_default_callback(zval *return_value, zval *zobj, long
                         * I'd rather take the CPU hit here, than waste time
                         * storing a value I'm unlikely to use.
                         */
-                       ucnv_getSubstChars(objval->src, chars, &chars_len, &error);
-                       if (U_FAILURE(error)) {
-                               THROW_UFAILURE(objval, "ucnv_getSubstChars", error);
+                       ucnv_getSubstChars(objval->src, chars, &chars_len, &uerror);
+                       if (U_FAILURE(uerror)) {
+                               THROW_UFAILURE(objval, "ucnv_getSubstChars", uerror);
                                chars[0] = 0x1A;
                                chars[1] = 0;
                                chars_len = 1;
+               ZVAL_LONG(error, uerror);
                        }
                        RETVAL_STRINGL(chars, chars_len, 1);
                }
        }
-       zval_dtor(error);
-       ZVAL_LONG(error, U_ZERO_ERROR);
 }
 /* }}} */
 

diff --git a/ext/intl/tests/uconverter_bug66873.phpt b/ext/intl/tests/uconverter_bug66873.phpt
new file mode 100644 (file)
index 0000000..aa1045e
--- /dev/null
+++ b/ext/intl/tests/uconverter_bug66873.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #66873 - crash in UConverter with invalid encoding
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+    $o = new UConverter(1, 1);
+    $o->toUCallback(1, 1, 1, $b);
+    var_dump($o->getErrorCode());
+--EXPECT--
+int(27)