From 3ad0ebdf5cdc6dbe077685907d012eaeac7ea6e4 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 14 Jan 2019 10:21:41 +0100
Subject: [PATCH] Fixed bug #77454

---
 NEWS                             |  4 ++++
 ext/mbstring/mbstring.c          | 11 +++++------
 ext/mbstring/tests/bug77454.phpt | 16 ++++++++++++++++
 3 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 ext/mbstring/tests/bug77454.phpt

diff --git a/NEWS b/NEWS
index 99bc6e5172..71f69919ab 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
   . Fixed bug #77272 (imagescale() may return image resource on failure). (cmb)
   . Fixed bug #77391 (1bpp BMPs may fail to be loaded). (Romain DÃ©oux, cmb)
 
+- Mbstring:
+  . Fixed bug #77454 (mb_scrub() silently truncates after a null byte).
+    (64796c6e69 at gmail dot com)
+
 - MySQLnd:
   . Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has
     no external visibility). (Anatol)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 2ec7f1a3a8..9973313985 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -5260,11 +5260,9 @@ PHP_FUNCTION(mb_chr)
 /* }}} */
 
 
-static inline char* php_mb_scrub(const char* str, size_t str_len, const char* enc)
+static inline char* php_mb_scrub(const char* str, size_t str_len, const char* enc, size_t *ret_len)
 {
-	size_t ret_len;
-
-	return php_mb_convert_encoding(str, str_len, enc, enc, &ret_len);
+	return php_mb_convert_encoding(str, str_len, enc, enc, ret_len);
 }
 
 
@@ -5276,6 +5274,7 @@ PHP_FUNCTION(mb_scrub)
 	char *enc = NULL;
 	size_t enc_len;
 	char *ret;
+	size_t ret_len;
 
 	ZEND_PARSE_PARAMETERS_START(1, 2)
 		Z_PARAM_STRING(str, str_len)
@@ -5290,13 +5289,13 @@ PHP_FUNCTION(mb_scrub)
 		RETURN_FALSE;
 	}
 
-	ret = php_mb_scrub(str, str_len, enc);
+	ret = php_mb_scrub(str, str_len, enc, &ret_len);
 
 	if (ret == NULL) {
 		RETURN_FALSE;
 	}
 
-	RETVAL_STRING(ret);
+	RETVAL_STRINGL(ret, ret_len);
 	efree(ret);
 }
 /* }}} */
diff --git a/ext/mbstring/tests/bug77454.phpt b/ext/mbstring/tests/bug77454.phpt
new file mode 100644
index 0000000000..b64452c79b
--- /dev/null
+++ b/ext/mbstring/tests/bug77454.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #77454: mb_scrub() silently truncates after a null byte
+--FILE--
+<?php
+$str = "before\0after";
+function test($str, $enc) {
+    echo str_replace("\0", '\0', mb_scrub($str, $enc)), "\n";
+}
+test($str, 'latin1');
+test($str, 'utf-8');
+test($str, 'ascii');
+?>
+--EXPECT--
+before\0after
+before\0after
+before\0after
-- 
2.40.0