diff options
| author | Gustavo André dos Santos Lopes <cataphract@php.net> | 2010-10-14 19:14:06 +0000 |
|---|---|---|
| committer | Gustavo André dos Santos Lopes <cataphract@php.net> | 2010-10-14 19:14:06 +0000 |
| commit | bfcb754eae94c5dbb3940253c773e1fba67ba04f (patch) | |
| tree | 691a362c7226ca5343695be4af82b869dc78aa19 /ext/standard/html.c | |
| parent | 3943351e6a0a7d866ec2e74e32181eae340cf920 (diff) | |
| download | php-git-bfcb754eae94c5dbb3940253c773e1fba67ba04f.tar.gz | |
- Fixed get_next_char(), used by htmlentities/htmlspecialchars, accepting
certain ill-formed UTF-8 sequences.
Diffstat (limited to 'ext/standard/html.c')
| -rw-r--r-- | ext/standard/html.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ext/standard/html.c b/ext/standard/html.c index d32246d513..5d683e237b 100644 --- a/ext/standard/html.c +++ b/ext/standard/html.c @@ -129,7 +129,7 @@ inline static unsigned int get_next_char(enum entity_charset charset, MB_WRITE(c); this_char = c; pos++; - } else if (c < 0xc0) { + } else if (c < 0xc2) { MB_FAILURE(pos); } else if (c < 0xe0) { CHECK_LEN(pos, 2); @@ -161,7 +161,7 @@ inline static unsigned int get_next_char(enum entity_charset charset, MB_WRITE((unsigned char)str[pos + 1]); MB_WRITE((unsigned char)str[pos + 2]); pos += 3; - } else if (c < 0xf8) { + } else if (c < 0xf5) { CHECK_LEN(pos, 4); if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { MB_FAILURE(pos); @@ -173,7 +173,7 @@ inline static unsigned int get_next_char(enum entity_charset charset, MB_FAILURE(pos); } this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); - if (this_char < 0x10000) { + if (this_char < 0x10000 || this_char > 0x10FFFF) { MB_FAILURE(pos); } MB_WRITE((unsigned char)c); |