Merge branch 'PHP-8.2'

iluuu1994 · iluuu1994 · commit 439cea49fa60 · 2023-03-25T17:43:12.000+01:00
* PHP-8.2:
  Fix buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure
diff --git a/ext/standard/file.c b/ext/standard/file.c
@@ -1970,7 +1970,7 @@ PHPAPI HashTable *php_fgetcsv(php_stream *stream, char delimiter, char enclosure
 			while ((*tmp != delimiter) && isspace((int)*(unsigned char *)tmp)) {
 				tmp++;
 			}
-			if (*tmp == enclosure) {
+			if (*tmp == enclosure && tmp < limit) {
 				bptr = tmp;
 			}
 		}
diff --git a/ext/standard/tests/oss_fuzz_57392.phpt b/ext/standard/tests/oss_fuzz_57392.phpt
@@ -0,0 +1,17 @@
+--TEST--
+oss-fuzz #57392: Buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure
+--FILE--
+<?php
+var_dump(str_getcsv(
+    "aaaaaaaaaaaa\0  ",
+    "\0",
+    "\0",
+));
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(12) "aaaaaaaaaaaa"
+  [1]=>
+  string(2) "  "
+}

Original file line number	Diff line number	Diff line change
`@@ -1970,7 +1970,7 @@ PHPAPI HashTable php_fgetcsv(php_stream stream, char delimiter, char enclosure`
`1970`	`1970`	`while ((tmp != delimiter) && isspace((int)(unsigned char *)tmp)) {`
`1971`	`1971`	`tmp++;`
`1972`	`1972`	`}`
`1973`		`- if (*tmp == enclosure) {`
	`1973`	`+ if (*tmp == enclosure && tmp < limit) {`
`1974`	`1974`	`bptr = tmp;`
`1975`	`1975`	`}`
`1976`	`1976`	`}`