Fix #73527: Invalid memory access in php_filter_strip

diff --git a/NEWS b/NEWS
index 1b8ff495098b83f78e98812d610c4d33541c9adf..39a980633014d6323e85ee8cbdf3d57c2134b51c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,9 @@ PHP                                                                        NEWS
   . Fixed bug #79668 (get_defined_functions(true) may miss functions). (cmb,
     Nikita)
 
+- Filter:
+  . Fixed bug #73527 (Invalid memory access in php_filter_strip). (cmb)
+
 - PDO SQLite:
   . Fixed bug #79664 (PDOStatement::getColumnMeta fails on empty result set).
     (cmb)

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index 7a992b4966c18fc10503cf1fc8b1f98963e71a82..de69b3bf5a8b58ab05b11f6f81025f164cf36e92 100644 (file)
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -110,7 +110,7 @@ static void php_filter_strip(zval *value, zend_long flags)
 {
        unsigned char *str;
        size_t i;
-       int c;
+       size_t c;
        zend_string *buf;
 
        /* Optimization for if no strip flags are set */
@@ -119,7 +119,7 @@ static void php_filter_strip(zval *value, zend_long flags)
        }
 
        str = (unsigned char *)Z_STRVAL_P(value);
-       buf = zend_string_alloc(Z_STRLEN_P(value) + 1, 0);
+       buf = zend_string_alloc(Z_STRLEN_P(value), 0);
        c = 0;
        for (i = 0; i < Z_STRLEN_P(value); i++) {
                if ((str[i] >= 127) && (flags & FILTER_FLAG_STRIP_HIGH)) {
@@ -161,7 +161,7 @@ static void filter_map_apply(zval *value, filter_map *map)
        zend_string *buf;
 
        str = (unsigned char *)Z_STRVAL_P(value);
-       buf = zend_string_alloc(Z_STRLEN_P(value) + 1, 0);
+       buf = zend_string_alloc(Z_STRLEN_P(value), 0);
        c = 0;
        for (i = 0; i < Z_STRLEN_P(value); i++) {
                if ((*map)[str[i]]) {