From: Nikita Popov Date: Wed, 29 Jan 2020 15:40:13 +0000 (+0100) Subject: Restore digit check in mb_decode_numericentity() X-Git-Tag: php-7.4.7RC1~252 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9aadcb18e1d6c7f7736a00e246e193671353d741;p=php Restore digit check in mb_decode_numericentity() I replaced it with a multiplication overflow check in 18599f9c52959b2e8cbfac57e278644499a3547d. However, we need both, because the code for restoring the number can't handle numbers with many leading zeros right now and I don't feel like teaching it. --- diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index cec6daad94..544eae9121 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -2554,7 +2554,7 @@ collector_decode_htmlnumericentity(int c, void *data) f = 0; if (c >= 0x30 && c <= 0x39) { /* '0' - '9' */ s = pc->cache; - if (s > INT_MAX/10) { + if (pc->digit > 9 || s > INT_MAX/10) { pc->status = 0; f = 1; } else { diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt index c728e2aa69..f70e26a43c 100644 --- a/ext/mbstring/tests/mb_decode_numericentity.phpt +++ b/ext/mbstring/tests/mb_decode_numericentity.phpt @@ -19,6 +19,7 @@ echo mb_decode_numericentity('�', $convmap), "\n"; echo mb_decode_numericentity('�', $convmap), "\n"; echo mb_decode_numericentity('�', $convmap), "\n"; echo mb_decode_numericentity('�', $convmap), "\n"; +echo mb_decode_numericentity('�', $convmap), "\n"; ?> --EXPECT-- @@ -29,3 +30,4 @@ aŒbœcÅ dÅ¡e€fg � � � +�