Fix recovery of large entities in mb_decode_numericentity()

author Nikita Popov <nikita.ppv@gmail.com>

Wed, 29 Jan 2020 10:44:56 +0000 (11:44 +0100)

committer Nikita Popov <nikita.ppv@gmail.com>

Wed, 29 Jan 2020 10:48:34 +0000 (11:48 +0100)
author Nikita Popov <nikita.ppv@gmail.com>
Wed, 29 Jan 2020 10:44:56 +0000 (11:44 +0100)
committer Nikita Popov <nikita.ppv@gmail.com>
Wed, 29 Jan 2020 10:48:34 +0000 (11:48 +0100)
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c

index 1cb6d28e7b4e0c1bd3bdc538cd5363bf2a06fe72..baaa4c3f36095562001328dbdab3a370cbb37f50 100644 (file)
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -2586,12 +2586,10 @@ collector_decode_htmlnumericentity(int c, void *data)
                         (*pc->decoder->filter_function)(0x23, pc->decoder);             /* '#' */
                         r = 1;
                         n = pc->digit;
-                       while (n > 0) {
+                       while (n > 1) {
                                 r *= 10;
                                 n--;
                         }
-                       s %= r;
-                       r /= 10;
                         while (r > 0) {
                                 d = s/r;
                                 s %= r;
@@ -2764,12 +2762,10 @@ int mbfl_filt_decode_htmlnumericentity_flush(mbfl_convert_filter *filter)
                         s = pc->cache;
                         r = 1;
                         n = pc->digit;
-                       while (n > 0) {
+                       while (n > 1) {
                                 r *= 10;
                                 n--;
                         }
-                       s %= r;
-                       r /= 10;
                         while (r > 0) {
                                 d = s/r;
                                 s %= r;
diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt

index 6008ef9a9b0fb747a6cd87cc73e264f05923dcc1..b6a7c622a668cd5ab710b3643ca97130c7a46125 100644 (file)
--- a/ext/mbstring/tests/mb_decode_numericentity.phpt
+++ b/ext/mbstring/tests/mb_decode_numericentity.phpt
@@ -14,8 +14,16 @@ $convmap = array(0x0, 0x2FFFF, 0, 0xFFFF);
  echo mb_decode_numericentity($str1, $convmap, "UTF-8")."\n";
  echo mb_decode_numericentity($str2, $convmap, "UTF-8")."\n";
  echo mb_decode_numericentity($str3, $convmap, "UTF-8")."\n";
+
+echo mb_decode_numericentity('&#1000000000', $convmap), "\n";
+echo mb_decode_numericentity('&#10000000000', $convmap), "\n";
+echo mb_decode_numericentity('&#100000000000', $convmap), "\n";
+
  ?>
  --EXPECT--
  ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
  ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦
  aŒbœcŠdše€fg
+&#1000000000
+&#10000000000
+&#100000000000
author	Nikita Popov <nikita.ppv@gmail.com>
	Wed, 29 Jan 2020 10:44:56 +0000 (11:44 +0100)
committer	Nikita Popov <nikita.ppv@gmail.com>
	Wed, 29 Jan 2020 10:48:34 +0000 (11:48 +0100)
ext/mbstring/libmbfl/mbfl/mbfilter.c		patch \| blob \| history
ext/mbstring/tests/mb_decode_numericentity.phpt		patch \| blob \| history