diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2020-01-29 14:22:45 +0100 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-01-29 16:08:46 +0100 |
commit | 18599f9c52959b2e8cbfac57e278644499a3547d (patch) | |
tree | 8369d9385e5ce2a713e243d864fcbf20d4b8ff30 | |
parent | 085371b2994f7aa96e7b63cee81fc79194049892 (diff) | |
download | php-git-18599f9c52959b2e8cbfac57e278644499a3547d.tar.gz |
Better overflow check for entity decoding
Check for multiplication overflow rather than number of digits.
-rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfilter.c | 7 | ||||
-rw-r--r-- | ext/mbstring/tests/mb_decode_numericentity.phpt | 2 |
2 files changed, 6 insertions, 3 deletions
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index baaa4c3f36..cec6daad94 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -86,6 +86,7 @@ #include <stddef.h> #include <string.h> +#include <limits.h> #include "mbfilter.h" #include "mbfl_filter_output.h" @@ -2552,12 +2553,12 @@ collector_decode_htmlnumericentity(int c, void *data) s = 0; f = 0; if (c >= 0x30 && c <= 0x39) { /* '0' - '9' */ - if (pc->digit > 9) { + s = pc->cache; + if (s > INT_MAX/10) { pc->status = 0; - s = pc->cache; f = 1; } else { - s = pc->cache*10 + c - 0x30; + s = s*10 + (c - 0x30); pc->cache = s; pc->digit++; } diff --git a/ext/mbstring/tests/mb_decode_numericentity.phpt b/ext/mbstring/tests/mb_decode_numericentity.phpt index b6a7c622a6..c728e2aa69 100644 --- a/ext/mbstring/tests/mb_decode_numericentity.phpt +++ b/ext/mbstring/tests/mb_decode_numericentity.phpt @@ -16,6 +16,7 @@ echo mb_decode_numericentity($str2, $convmap, "UTF-8")."\n"; echo mb_decode_numericentity($str3, $convmap, "UTF-8")."\n"; echo mb_decode_numericentity('�', $convmap), "\n"; +echo mb_decode_numericentity('�', $convmap), "\n"; echo mb_decode_numericentity('�', $convmap), "\n"; echo mb_decode_numericentity('�', $convmap), "\n"; @@ -25,5 +26,6 @@ echo mb_decode_numericentity('�', $convmap), "\n"; ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦ aŒbœcŠdše€fg � +� � � |