Skip to content

Commit 547a960

Browse files
cataphractcataphract
committed
- Fixed bug #54332 (trunk only, null pointer deref due to information loss on long to int conversion)
- Fixed some int* pointers being passed as size_t*.
1 parent 2ddfe19 commit 547a960

File tree

2 files changed

+24
-17
lines changed

2 files changed

+24
-17
lines changed

ext/standard/html.c

Lines changed: 15 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
| license@php.net so we can mail you a copy immediately. |
1414
+----------------------------------------------------------------------+
1515
| Authors: Rasmus Lerdorf <rasmus@php.net> |
16-
| Jaakko Hyvätti <jaakko.hyvatti@iki.fi> |
16+
| Jaakko Hyvätti <jaakko.hyvatti@iki.fi> |
1717
| Wez Furlong <wez@thebrainroom.com> |
1818
| Gustavo Lopes <cataphract@php.net> |
1919
+----------------------------------------------------------------------+
@@ -60,8 +60,7 @@
6060
/* Macro for disabling flag of translation of non-basic entities where this isn't supported.
6161
* Not appropriate for html_entity_decode/htmlspecialchars_decode */
6262
#define LIMIT_ALL(all, doctype, charset) do { \
63-
if ((all) && (CHARSET_PARTIAL_SUPPORT((charset)) || (doctype) == ENT_HTML_DOC_XML1)) \
64-
(all) = 0; \
63+
(all) = (all) && !CHARSET_PARTIAL_SUPPORT((charset)) && ((doctype) != ENT_HTML_DOC_XML1); \
6564
} while (0)
6665

6766
#define MB_FAILURE(pos, advance) do { \
@@ -109,7 +108,7 @@ static inline unsigned int get_next_char(
109108
/* We'll follow strategy 2. from section 3.6.1 of UTR #36:
110109
* "In a reported illegal byte sequence, do not include any
111110
* non-initial byte that encodes a valid character or is a leading
112-
* byte for a valid sequence.» */
111+
* byte for a valid sequence." */
113112
unsigned char c;
114113
c = str[pos];
115114
if (c < 0x80) {
@@ -1419,7 +1418,7 @@ static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)
14191418
{
14201419
char *str, *hint_charset = NULL;
14211420
int str_len, hint_charset_len = 0;
1422-
int len;
1421+
size_t new_len;
14231422
long flags = ENT_COMPAT;
14241423
char *replaced;
14251424
zend_bool double_encode = 1;
@@ -1428,8 +1427,8 @@ static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)
14281427
return;
14291428
}
14301429

1431-
replaced = php_escape_html_entities_ex(str, str_len, &len, all, (int) flags, hint_charset, double_encode TSRMLS_CC);
1432-
RETVAL_STRINGL(replaced, len, 0);
1430+
replaced = php_escape_html_entities_ex(str, str_len, &new_len, all, (int) flags, hint_charset, double_encode TSRMLS_CC);
1431+
RETVAL_STRINGL(replaced, (int)new_len, 0);
14331432
}
14341433
/* }}} */
14351434

@@ -1468,17 +1467,18 @@ PHP_FUNCTION(htmlspecialchars)
14681467
PHP_FUNCTION(htmlspecialchars_decode)
14691468
{
14701469
char *str;
1471-
int str_len, len;
1470+
int str_len;
1471+
size_t new_len = 0;
14721472
long quote_style = ENT_COMPAT;
14731473
char *replaced;
14741474

14751475
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &str, &str_len, &quote_style) == FAILURE) {
14761476
return;
14771477
}
14781478

1479-
replaced = php_unescape_html_entities(str, str_len, &len, 0 /*!all*/, quote_style, NULL TSRMLS_CC);
1479+
replaced = php_unescape_html_entities(str, str_len, &new_len, 0 /*!all*/, quote_style, NULL TSRMLS_CC);
14801480
if (replaced) {
1481-
RETURN_STRINGL(replaced, len, 0);
1481+
RETURN_STRINGL(replaced, (int)new_len, 0);
14821482
}
14831483
RETURN_FALSE;
14841484
}
@@ -1489,7 +1489,8 @@ PHP_FUNCTION(htmlspecialchars_decode)
14891489
PHP_FUNCTION(html_entity_decode)
14901490
{
14911491
char *str, *hint_charset = NULL;
1492-
int str_len, hint_charset_len = 0, len;
1492+
int str_len, hint_charset_len = 0;
1493+
size_t new_len = 0;
14931494
long quote_style = ENT_COMPAT;
14941495
char *replaced;
14951496

@@ -1498,9 +1499,9 @@ PHP_FUNCTION(html_entity_decode)
14981499
return;
14991500
}
15001501

1501-
replaced = php_unescape_html_entities(str, str_len, &len, 1 /*all*/, quote_style, hint_charset TSRMLS_CC);
1502+
replaced = php_unescape_html_entities(str, str_len, &new_len, 1 /*all*/, quote_style, hint_charset TSRMLS_CC);
15021503
if (replaced) {
1503-
RETURN_STRINGL(replaced, len, 0);
1504+
RETURN_STRINGL(replaced, (int)new_len, 0);
15041505
}
15051506
RETURN_FALSE;
15061507
}
@@ -1599,10 +1600,7 @@ PHP_FUNCTION(get_html_translation_table)
15991600
LIMIT_ALL(all, doctype, charset);
16001601

16011602
array_init(return_value);
1602-
1603-
if (CHARSET_PARTIAL_SUPPORT(charset)) {
1604-
all = 0;
1605-
}
1603+
16061604
entity_table = determine_entity_table(all, doctype);
16071605
if (all && !CHARSET_UNICODE_COMPAT(charset)) {
16081606
to_uni_table = enc_to_uni_index[charset];

ext/standard/tests/strings/bug54322.phpt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
--TEST--
2+
Bug #54322: Null pointer deref in get_html_translation_table due to information loss in long-to-int conversion
3+
--FILE--
4+
<?php
5+
var_dump(
6+
get_html_translation_table(NAN, 0, "UTF-8") > 0
7+
);
8+
--EXPECT--
9+
bool(true)

0 commit comments

Comments
 (0)