From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 29 Jan 2020 11:19:28 +0000 (+0100)
Subject: Fix length inconsistency in mb_convert_encoding
X-Git-Tag: php-7.4.7RC1~259
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5589bf4d4af830b2a081475cf8065bf1ed9cf19a;p=php

Fix length inconsistency in mb_convert_encoding

Don't mix strlen() and ZSTR_LEN(). If the encoding contains a
NULL byte, this will overflow the buffer.

NULL bytes will still make this behave oddly because the consuming
code will cut off the string there, but let's address that in master...
---

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 78557e7f94..d6b633ff3a 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3370,7 +3370,7 @@ PHP_FUNCTION(mb_convert_encoding)
 
 					if ( _from_encodings) {
 						l = strlen(_from_encodings);
-						n = strlen(ZSTR_VAL(encoding_str));
+						n = ZSTR_LEN(encoding_str);
 						_from_encodings = erealloc(_from_encodings, l+n+2);
 						memcpy(_from_encodings + l, ",", 1);
 						memcpy(_from_encodings + l + 1, ZSTR_VAL(encoding_str), ZSTR_LEN(encoding_str) + 1);
diff --git a/ext/mbstring/tests/bug79149.phpt b/ext/mbstring/tests/bug79149.phpt
index fc3751d933..fe2007536e 100644
--- a/ext/mbstring/tests/bug79149.phpt
+++ b/ext/mbstring/tests/bug79149.phpt
@@ -8,6 +8,7 @@ if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
 <?php
 var_dump(mb_convert_encoding("", "UTF-8", [0]));
 var_dump(mb_convert_encoding('foo', 'UTF-8', array(['bar'], ['baz'])));
+var_dump(mb_convert_encoding('foo', 'UTF-8', array("foo\0bar")));
 ?>
 --EXPECTF--
 Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
@@ -19,3 +20,6 @@ Notice: Array to string conversion in %s on line %d
 
 Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
 string(3) "foo"
+
+Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
+string(3) "foo"