From b5ff09a345b8cc7c6c8946e643c4fc235581d103 Mon Sep 17 00:00:00 2001
From: Rasmus Lerdorf <rasmus@php.net>
Date: Tue, 29 Jan 2008 23:29:04 +0000
Subject: [PATCH] Fixed bug #43957

---
 ext/xml/tests/bug43957.phpt | 13 +++++++++++++
 ext/xml/xml.c               | 18 +++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 ext/xml/tests/bug43957.phpt

diff --git a/ext/xml/tests/bug43957.phpt b/ext/xml/tests/bug43957.phpt
new file mode 100644
index 0000000000..34ddcd951d
--- /dev/null
+++ b/ext/xml/tests/bug43957.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #43957 - utf8_decode() bogus conversion on multibyte indicator near end of string
+--SKIPIF--
+<?php
+require_once("skipif.inc");
+if (!extension_loaded('xml')) die ("skip xml extension not available");
+?>
+--FILE--
+<?php
+  echo utf8_decode('abc'.chr(0xe0));
+?>
+--EXPECTF--
+abc?
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 84d8071de4..bb15cc6c41 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -591,15 +591,27 @@ PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_
 	while (pos > 0) {
 		c = (unsigned char)(*s);
 		if (c >= 0xf0) { /* four bytes encoded, 21 bits */
-			c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
+			if(pos-4 >= 0) {
+				c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
+			} else {
+				c = '?';	
+			}
 			s += 4;
 			pos -= 4;
 		} else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
-			c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
+			if(pos-3 >= 0) {
+				c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
+			} else {
+				c = '?';
+			}
 			s += 3;
 			pos -= 3;
 		} else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
-			c = ((s[0]&63)<<6) | (s[1]&63);
+			if(pos-3 >= 0) {
+				c = ((s[0]&63)<<6) | (s[1]&63);
+			} else {
+				c = '?';
+			}
 			s += 2;
 			pos -= 2;
 		} else {
-- 
2.50.1