Fix GH-10187: Segfault in stripslashes() with arm64

nielsdos · todeveni · Girgias · commit 4c9375e504a6 · 2022-12-30T16:40:56.000Z
Closes GH-10188 Co-authored-by: todeveni <toni.viemero@iki.fi> Signed-off-by: George Peter Banyard <girgias@php.net>
diff --git a/NEWS b/NEWS
@@ -34,6 +34,9 @@ PHP                                                                        NEWS
 - Posix:
   . Fix memory leak in posix_ttyname() (girgias)
 
+- Standard:
+  . Fix GH-10187 (Segfault in stripslashes() with arm64). (nielsdos)
+
 - TSRM:
   . Fixed Windows shmget() wrt. IPC_PRIVATE. (Tyson Andre)
 
diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -3988,19 +3988,23 @@ static zend_always_inline char *php_stripslashes_impl(const char *str, char *out
 		quad_word q;
 		vst1q_u8(q.mem, vceqq_u8(x, vdupq_n_u8('\\')));
 		if (q.dw[0] | q.dw[1]) {
-			int i = 0;
-			for (; i < 16; i++) {
+			unsigned int i = 0;
+			while (i < 16) {
 				if (q.mem[i] == 0) {
 					*out++ = str[i];
+					i++;
 					continue;
 				}
 
 				i++;			/* skip the slash */
-				char s = str[i];
-				if (s == '0')
-					*out++ = '\0';
-				else
-					*out++ = s;	/* preserve the next character */
+				if (i < len) {
+					char s = str[i];
+					if (s == '0')
+						*out++ = '\0';
+					else
+						*out++ = s;	/* preserve the next character */
+					i++;
+				}
 			}
 			str += i;
 			len -= i;
diff --git a/ext/standard/tests/strings/gh10187.phpt b/ext/standard/tests/strings/gh10187.phpt
@@ -0,0 +1,8 @@
+--TEST--
+GH-10187 (Segfault in stripslashes() with arm64)
+--FILE--
+<?php
+var_dump(stripslashes("1234567890abcde\\"));
+?>
+--EXPECT--
+string(15) "1234567890abcde"
