diff options
author | Stanislav Malyshev <stas@php.net> | 2020-01-20 21:42:44 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2020-01-20 21:43:42 -0800 |
commit | 2bcbc95f033c31b00595ed39f79c3a99b4ed0501 (patch) | |
tree | 9ec1a115a8c6073b2b195949ff470b1e91966488 | |
parent | 0f79b1bf301f455967676b5129240140c5c45b09 (diff) | |
download | php-git-2bcbc95f033c31b00595ed39f79c3a99b4ed0501.tar.gz |
Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
-rw-r--r-- | ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 | ||||
-rw-r--r-- | ext/mbstring/tests/bug79037.phpt | 10 |
2 files changed, 22 insertions, 5 deletions
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c index f5ab8809ce..5e1ca815da 100644 --- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c +++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c @@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = { {0xf70f,0xf848,0xc740,0xc8fe}, }; +static inline int is_in_cp950_pua(int c1, int c) { + if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || + (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) { + return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe); + } + if (c1 == 0xc6) { + return c >= 0xa1 && c <= 0xfe; + } + return 0; +} + /* * Big5 => wchar */ @@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter) if (filter->from->no_encoding == mbfl_no_encoding_cp950) { /* PUA for CP950 */ - if (w <= 0 && - (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || - (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8)) - && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) || - ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) { + if (w <= 0 && is_in_cp950_pua(c1, c)) { c2 = c1 << 8 | c; for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) { if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) { diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt new file mode 100644 index 0000000000..94ff01a4a1 --- /dev/null +++ b/ext/mbstring/tests/bug79037.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` +--FILE-- +<?php + +var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950")); + +?> +--EXPECT-- +string(1) "?" |