Better overflow check for entity decoding

Check for multiplication overflow rather than number of digits.

2 files changed, 6 insertions, 3 deletions

diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
index baaa4c3f36..cec6daad94 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -86,6 +86,7 @@
 
 #include <stddef.h>
 #include <string.h>
+#include <limits.h>
 
 #include "mbfilter.h"
 #include "mbfl_filter_output.h"
@@ -2552,12 +2553,12 @@ collector_decode_htmlnumericentity(int c, void *data)
 		s = 0;
 		f = 0;
 		if (c >= 0x30 && c <= 0x39) {	/* '0' - '9' */
-			if (pc->digit > 9) {
+			s = pc->cache;
+			if (s > INT_MAX/10) {
 				pc->status = 0;
-				s = pc->cache;
 				f = 1;
 			} else {
-				s = pc->cache*10 + c - 0x30;
+				s = s*10 + (c - 0x30);
 				pc->cache = s;
 				pc->digit++;
 			}
diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt
index b6a7c622a6..c728e2aa69 100644
--- a/ext/mbstring/tests/mb_decode_numericentity.phpt
+++ b/ext/mbstring/tests/mb_decode_numericentity.phpt
@@ -16,6 +16,7 @@ echo mb_decode_numericentity($str2, $convmap, "UTF-8")."\n";
 echo mb_decode_numericentity($str3, $convmap, "UTF-8")."\n";
 
 echo mb_decode_numericentity('&#1000000000', $convmap), "\n";
+echo mb_decode_numericentity('&#9000000000', $convmap), "\n";
 echo mb_decode_numericentity('&#10000000000', $convmap), "\n";
 echo mb_decode_numericentity('&#100000000000', $convmap), "\n";
 
@@ -25,5 +26,6 @@ echo mb_decode_numericentity('&#100000000000', $convmap), "\n";
 ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦
 aŒbœcŠdše€fg
 &#1000000000
+&#9000000000
 &#10000000000
 &#100000000000