diff options
| -rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfilter.c | 50 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug40685.phpt | 20 |
2 files changed, 69 insertions, 1 deletions
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index 34e33644b5..8f2c8bb14e 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -2702,6 +2702,53 @@ collector_decode_htmlnumericentity(int c, void *data) return c; } +int mbfl_filt_decode_htmlnumericentity_flush(mbfl_convert_filter *filter) +{ + struct collector_htmlnumericentity_data *pc = (struct collector_htmlnumericentity_data *)filter; + int n, s, r, d; + + if (pc->status) { + switch (pc->status) { + case 1: /* '&' */ + (*pc->decoder->filter_function)(0x26, pc->decoder); /* '&' */ + break; + case 2: /* '#' */ + (*pc->decoder->filter_function)(0x26, pc->decoder); /* '&' */ + (*pc->decoder->filter_function)(0x23, pc->decoder); /* '#' */ + break; + case 3: /* '0'-'9' */ + (*pc->decoder->filter_function)(0x26, pc->decoder); /* '&' */ + (*pc->decoder->filter_function)(0x23, pc->decoder); /* '#' */ + + s = pc->cache; + r = 1; + n = pc->digit; + while (n > 0) { + r *= 10; + n--; + } + s %= r; + r /= 10; + while (r > 0) { + d = s/r; + s %= r; + r /= 10; + (*pc->decoder->filter_function)(mbfl_hexchar_table[d], pc->decoder); + } + + break; + default: + break; + } + } + + pc->status = 0; + pc->cache = 0; + pc->digit = 0; + + return 0; +} + mbfl_string * mbfl_html_numeric_entity( mbfl_string *string, @@ -2739,7 +2786,8 @@ mbfl_html_numeric_entity( encoder = mbfl_convert_filter_new( string->no_encoding, mbfl_no_encoding_wchar, - collector_decode_htmlnumericentity, 0, &pc); + collector_decode_htmlnumericentity, + (int (*)(void*))mbfl_filt_decode_htmlnumericentity_flush, &pc); } if (pc.decoder == NULL || encoder == NULL) { mbfl_convert_filter_delete(encoder); diff --git a/ext/mbstring/tests/bug40685.phpt b/ext/mbstring/tests/bug40685.phpt new file mode 100644 index 0000000000..420b916bc5 --- /dev/null +++ b/ext/mbstring/tests/bug40685.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #40685 (mb_decode_numericentity() removes '&' in the string) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +$map = array(0, 0x10FFFF, 0, 0xFFFFFF); +var_dump(mb_decode_numericentity('&', $map, 'UTF-8')); +var_dump(mb_decode_numericentity('&&&', $map, 'UTF-8')); +var_dump(mb_decode_numericentity('&#', $map, 'UTF-8')); +var_dump(mb_decode_numericentity('=', $map, 'UTF-8')); +var_dump(mb_decode_numericentity('=', $map, 'UTF-8')); +?> +--EXPECTF-- +string(1) "&" +string(3) "&&&" +string(2) "&#" +string(4) "=" +string(1) "=" + |