From c527549e899bf211aac7d8ab5ceb1bdfedf07f14 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 12 Jan 2016 14:57:22 +0100
Subject: [PATCH] Fixed bug #71039 exec functions ignore length but look for
 NULL termination

---
 ext/standard/exec.c                                    |  8 ++++++++
 .../general_functions/escapeshellarg_bug71039.phpt     | 10 ++++++++++
 .../general_functions/escapeshellcmd_bug71039.phpt     | 10 ++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 ext/standard/tests/general_functions/escapeshellarg_bug71039.phpt
 create mode 100644 ext/standard/tests/general_functions/escapeshellcmd_bug71039.phpt

diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 747f765dd4..29024f6f43 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -467,6 +467,10 @@ PHP_FUNCTION(escapeshellcmd)
 	}
 
 	if (command_len) {
+		if (command_len != strlen(command)) {
+			php_error_docref(NULL, E_ERROR, "Input string contains NULL bytes");
+			return;
+		}
 		RETVAL_STR(php_escape_shell_cmd(command));
 	} else {
 		RETVAL_EMPTY_STRING();
@@ -486,6 +490,10 @@ PHP_FUNCTION(escapeshellarg)
 	}
 
 	if (argument) {
+		if (argument_len != strlen(argument)) {
+			php_error_docref(NULL, E_ERROR, "Input string contains NULL bytes");
+			return;
+		}
 		RETVAL_STR(php_escape_shell_arg(argument));
 	}
 }
diff --git a/ext/standard/tests/general_functions/escapeshellarg_bug71039.phpt b/ext/standard/tests/general_functions/escapeshellarg_bug71039.phpt
new file mode 100644
index 0000000000..cbb3f6fcc4
--- /dev/null
+++ b/ext/standard/tests/general_functions/escapeshellarg_bug71039.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Test escapeshellarg() string with \0 bytes
+--FILE--
+<?php
+escapeshellarg("hello\0world");
+
+?>
+===DONE===
+--EXPECTF--
+Fatal error: escapeshellarg(): Input string contains NULL bytes in %s on line %d
diff --git a/ext/standard/tests/general_functions/escapeshellcmd_bug71039.phpt b/ext/standard/tests/general_functions/escapeshellcmd_bug71039.phpt
new file mode 100644
index 0000000000..0a4d7eacff
--- /dev/null
+++ b/ext/standard/tests/general_functions/escapeshellcmd_bug71039.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Test escapeshellcmd() string with \0 bytes
+--FILE--
+<?php
+escapeshellcmd("hello\0world");
+
+?>
+===DONE===
+--EXPECTF--
+Fatal error: escapeshellcmd(): Input string contains NULL bytes in %s on line %d
-- 
2.40.0