From: Nikita Popov <nikic@php.net>
Date: Thu, 11 Sep 2014 12:51:02 +0000 (+0200)
Subject: Fix yy_limit computation after encoding switch
X-Git-Tag: PRE_NATIVE_TLS_MERGE~150^2~17^2~9
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e2d4d700cffe4cc7dcd2f486a77e0465ff937a3e;p=php

Fix yy_limit computation after encoding switch

The three assignments above this line are still broken - they assume
that byte offsets in one encoding directly map to byte offsets in
another encoding.

I'm fixing the length here because it is the one causing out-of-bounds
reads and is easy to fix. For the others we'd have to actually compute
new offsets.
---

diff --git a/Zend/zend_language_scanner.c b/Zend/zend_language_scanner.c
index e524e0b684..5bd2798cde 100644
--- a/Zend/zend_language_scanner.c
+++ b/Zend/zend_language_scanner.c
@@ -845,7 +845,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter
 	SCNG(yy_cursor) = new_yy_start + (SCNG(yy_cursor) - SCNG(yy_start));
 	SCNG(yy_marker) = new_yy_start + (SCNG(yy_marker) - SCNG(yy_start));
 	SCNG(yy_text) = new_yy_start + (SCNG(yy_text) - SCNG(yy_start));
-	SCNG(yy_limit) = new_yy_start + (SCNG(yy_limit) - SCNG(yy_start));
+	SCNG(yy_limit) = new_yy_start + length;
 
 	SCNG(yy_start) = new_yy_start;
 }
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
index 146e354852..bcc341e8a1 100644
--- a/Zend/zend_language_scanner.l
+++ b/Zend/zend_language_scanner.l
@@ -843,7 +843,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter
 	SCNG(yy_cursor) = new_yy_start + (SCNG(yy_cursor) - SCNG(yy_start));
 	SCNG(yy_marker) = new_yy_start + (SCNG(yy_marker) - SCNG(yy_start));
 	SCNG(yy_text) = new_yy_start + (SCNG(yy_text) - SCNG(yy_start));
-	SCNG(yy_limit) = new_yy_start + (SCNG(yy_limit) - SCNG(yy_start));
+	SCNG(yy_limit) = new_yy_start + length;
 
 	SCNG(yy_start) = new_yy_start;
 }
diff --git a/ext/mbstring/tests/zend_multibyte-07.phpt b/ext/mbstring/tests/zend_multibyte-07.phpt
index 50d4cd95ed..685c6f1f04 100644
--- a/ext/mbstring/tests/zend_multibyte-07.phpt
+++ b/ext/mbstring/tests/zend_multibyte-07.phpt
@@ -1,8 +1,5 @@
 --TEST--
 zend multibyte (7)
---SKIPIF--
---XFAIL--
-https://bugs.php.net/bug.php?id=66582
 --INI--
 error_reporting=E_ALL & ~E_DEPRECATED
 zend.multibyte=On
diff --git a/ext/mbstring/tests/zend_multibyte-09.phpt b/ext/mbstring/tests/zend_multibyte-09.phpt
index 7b0015c6c1..f9b8bf734f 100644
--- a/ext/mbstring/tests/zend_multibyte-09.phpt
+++ b/ext/mbstring/tests/zend_multibyte-09.phpt
@@ -1,8 +1,5 @@
 --TEST--
 zend multibyte (9)
---SKIPIF--
---XFAIL--
-https://bugs.php.net/bug.php?id=66582
 --INI--
 error_reporting=E_ALL & ~E_DEPRECATED
 zend.multibyte=On