From: Sara Golemon <pollita@php.net>
Date: Fri, 29 Apr 2016 21:05:06 +0000 (+0000)
Subject: Raise compiler warning on octal overflow
X-Git-Tag: php-7.1.0alpha1~141
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=95af467d8def3f3453670340f4e65ce7c189d4f6;p=php

Raise compiler warning on octal overflow

Addresses https://bugs.php.net/bug.php?id=71994
---

diff --git a/NEWS b/NEWS
index 78b1e53fbd..cfacdb3524 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,7 @@ PHP                                                                        NEWS
     respect scientific notation in numeric strings. (Andrea)
   . Implemented the RFC `Catching multiple exception types`. (Bronislaw Bialek,
     Pierrick)
+  . Raise a compile-time warning on octal escape sequence overflow. (Sara)
 
 - FTP:
   . Implemented FR #55651 (Option to ignore the returned FTP PASV address).
diff --git a/Zend/tests/oct_overflow_char.phpt b/Zend/tests/oct_overflow_char.phpt
new file mode 100644
index 0000000000..14a9bb4aeb
--- /dev/null
+++ b/Zend/tests/oct_overflow_char.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Octal overflow in string interpolation
+--FILE--
+<?php
+
+// "abc", ordinarily 'b' would be \142, but we'll deliberately overflow the value by \400
+echo "\141\542\143\n";
+--EXPECTF--
+Warning: Octal escape sequence overflow \542 is greater than \377 in %s/oct_overflow_char.php on line 4
+abc
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
index c60fa7c102..122c6d4eda 100644
--- a/Zend/zend_language_scanner.l
+++ b/Zend/zend_language_scanner.l
@@ -1044,6 +1044,12 @@ static int zend_scan_escape_string(zval *zendlval, char *str, int len, char quot
 								Z_STRLEN_P(zendlval)--;
 							}
 						}
+						if (octal_buf[2] &&
+						    (octal_buf[0] > '3')) {
+							/* 3 octit values must not overflow 0xFF (\377) */
+							zend_error(E_COMPILE_WARNING, "Octal escape sequence overflow \\%s is greater than \\377", octal_buf);
+						}
+
 						*t++ = (char) ZEND_STRTOL(octal_buf, NULL, 8);
 					} else {
 						*t++ = '\\';