From 608097a901fb28d3b1ed0ff4ea2bb76ae9bb1272 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 19 Jun 2019 16:53:42 +0200
Subject: [PATCH] Fix various instances of memcpy null ub

---
 ext/intl/converter/converter.c | 12 ++++++++++--
 ext/soap/php_sdl.c             |  4 +++-
 ext/spl/spl_directory.c        |  8 ++++++--
 ext/tidy/tidy.c                |  6 +++++-
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/ext/intl/converter/converter.c b/ext/intl/converter/converter.c
index 992a1bade7..7b4109749e 100644
--- a/ext/intl/converter/converter.c
+++ b/ext/intl/converter/converter.c
@@ -231,8 +231,16 @@ static void php_converter_to_u_callback(const void *context,
 	zval zargs[4];
 
 	ZVAL_LONG(&zargs[0], reason);
-	ZVAL_STRINGL(&zargs[1], args->source, args->sourceLimit - args->source);
-	ZVAL_STRINGL(&zargs[2], codeUnits, length);
+	if (args->source) {
+		ZVAL_STRINGL(&zargs[1], args->source, args->sourceLimit - args->source);
+	} else {
+		ZVAL_EMPTY_STRING(&zargs[1]);
+	}
+	if (codeUnits) {
+		ZVAL_STRINGL(&zargs[2], codeUnits, length);
+	} else {
+		ZVAL_EMPTY_STRING(&zargs[2]);
+	}
 	ZVAL_LONG(&zargs[3], *pErrorCode);
 
 	objval->to_cb.param_count    = 4;
diff --git a/ext/soap/php_sdl.c b/ext/soap/php_sdl.c
index d9fea6d3b2..de4bf5c328 100644
--- a/ext/soap/php_sdl.c
+++ b/ext/soap/php_sdl.c
@@ -116,7 +116,9 @@ encodePtr get_encoder(sdlPtr sdl, const char *ns, const char *type)
 	int len = ns_len + type_len + 1;
 
 	nscat = emalloc(len + 1);
-	memcpy(nscat, ns, ns_len);
+	if (ns) {
+		memcpy(nscat, ns, ns_len);
+	}
 	nscat[ns_len] = ':';
 	memcpy(nscat+ns_len+1, type, type_len);
 	nscat[len] = '\0';
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index 676f107c35..1fdaacb588 100644
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -619,7 +619,7 @@ static HashTable *spl_filesystem_object_get_debug_info(zval *object, int *is_tem
 
 	pnstr = spl_gen_private_prop_name(spl_ce_SplFileInfo, "pathName", sizeof("pathName")-1);
 	path = spl_filesystem_object_get_pathname(intern, &path_len);
-	ZVAL_STRINGL(&tmp, path, path_len);
+	ZVAL_STRINGL(&tmp, path ? path : "", path_len);
 	zend_symtable_update(rv, pnstr, &tmp);
 	zend_string_release_ex(pnstr, 0);
 
@@ -891,7 +891,11 @@ SPL_METHOD(SplFileInfo, getPath)
 	}
 
   	path = spl_filesystem_object_get_path(intern, &path_len);
-	RETURN_STRINGL(path, path_len);
+	if (path) {
+		RETURN_STRINGL(path, path_len);
+	} else {
+		RETURN_EMPTY_STRING();
+	}
 }
 /* }}} */
 
diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index ee7defeac4..295ca8d8f0 100644
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -783,7 +783,11 @@ static int tidy_doc_cast_handler(zval *in, zval *out, int type)
 			obj = Z_TIDY_P(in);
 			tidyBufInit(&output);
 			tidySaveBuffer (obj->ptdoc->doc, &output);
-			ZVAL_STRINGL(out, (char *) output.bp, output.size ? output.size-1 : 0);
+			if (output.size) {
+				ZVAL_STRINGL(out, (char *) output.bp, output.size-1);
+			} else {
+				ZVAL_EMPTY_STRING(out);
+			}
 			tidyBufFree(&output);
 			break;
 
-- 
2.40.0