ext/mbstring: Check conversion map only has integers

Author: Girgias

UPGRADING

@@ -31,6 +31,10 @@ PHP 8.4 UPGRADE NOTES
     will not affect you. As a result DOMImplementation::createDocument() now has
     a tentative return type of DOMDocument instead of DOMDocument|false.
 
+- MBString:
+  . mb_encode_numericentity() and mb_decode_numericentity() now check that
+    the $map is only composed of integers, if not a ValueError is thrown.
+
 - PDO_DBLIB:
   . setAttribute, DBLIB_ATTR_STRINGIFY_UNIQUEIDENTIFIER and DBLIB_ATTR_DATETIME_CONVERT
     have been changed to set value as a bool.

ext/mbstring/mbstring.c

@@ -3878,7 +3878,14 @@ static uint32_t *make_conversion_map(HashTable *target_hash, size_t *conversion_
 	uint32_t *mapelm = convmap;
 
 	ZEND_HASH_FOREACH_VAL(target_hash, hash_entry) {
-		*mapelm++ = zval_get_long(hash_entry);
+		bool failed = true;
+		zend_long tmp = zval_try_get_long(hash_entry, &failed);
+		if (failed) {
+			efree(convmap);
+			zend_argument_value_error(2, "must only be composed of values of type int");
+			return NULL;
+		}
+		*mapelm++ = tmp;
 	} ZEND_HASH_FOREACH_END();
 
 	return convmap;

ext/mbstring/tests/mb_decode_numericentity.phpt

@@ -61,13 +61,6 @@ echo "12: " . bin2hex(mb_decode_numericentity(mb_convert_encoding('�',
 $convmap = [];
 echo "13: " . mb_decode_numericentity('föo', $convmap, "UTF-8") . "\n";
 
-$convmap = array(0x0, 0x2FFFF, 0); // 3 elements
-try {
-    echo "14: " . mb_decode_numericentity($str3, $convmap, "UTF-8") . "\n";
-} catch (ValueError $ex) {
-    echo "14: " . $ex->getMessage()."\n";
-}
-
 echo "15: " . bin2hex(mb_decode_numericentity('�', [0, 1, 0, 0xFFFF], 'UTF-8')) . "\n";
 echo "16: " . bin2hex(mb_decode_numericentity('�', [0, 1, 0, 0xFFFF], 'UTF-8')) . "\n";
 
@@ -182,7 +175,6 @@ for ($i = 12; $i < 256; $i++) {
 11e: &#x000000000
 12: 00bc614e
 13: f&ouml;o
-14: mb_decode_numericentity(): Argument #2 ($map) must have a multiple of 4 elements
 15: 00
 16: 00
 17: föo

ext/mbstring/tests/mb_decode_numericentity_errors.phpt

@@ -0,0 +1,23 @@
+--TEST--
+mb_decode_numericentity() map errors
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+try {
+    $convmap = array(0xFF, 0x2FFFF, 0); // 3 elements
+    echo mb_decode_numericentity('str', $convmap, "UTF-8") . "\n";
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+try {
+    $convmap = array(0xFF, "not an int", 0, 0); // 3 elements
+    echo mb_decode_numericentity('str', $convmap, "UTF-8") . "\n";
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+mb_decode_numericentity(): Argument #2 ($map) must have a multiple of 4 elements
+mb_decode_numericentity(): Argument #2 ($map) must only be composed of values of type int

ext/mbstring/tests/mb_encode_numericentity.phpt

@@ -17,13 +17,6 @@ echo "3: " . mb_encode_numericentity('aŒbœcŠdše€fg', $convmap, "UTF-8") .
 $convmap = [];
 echo "4: " . mb_encode_numericentity('föo', $convmap, "UTF-8") . "\n";
 
-try {
-    $convmap = array(0xFF, 0x2FFFF, 0); // 3 elements
-    echo "5: " . mb_encode_numericentity('aŒbœcŠdše€fg', $convmap, "UTF-8") . "\n";
-} catch (ValueError $ex) {
-    echo "5: " . $ex->getMessage() . "\n";
-}
-
 // HTML-encode a null byte
 echo "6: " . mb_encode_numericentity("\x00", array(0, 1, 0, 0xFFFF), "UTF-8", false) . "\n";
 echo "6 (hex): " . mb_encode_numericentity("\x00", array(0, 1, 0, 0xFFFF), "UTF-8", true) . "\n";
@@ -72,7 +65,6 @@ echo "13: " . mb_encode_numericentity("\xFF", $convmap, "ASCII", true) . "\n";
 2: ƒΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρςστυφχψωϑϒϖ•…′″‾⁄℘ℑℜ™ℵ←↑→↓↔↵⇐⇑⇒⇓⇔∀∂∃∅∇∈∉∋∏∑−∗√∝∞∠∧∨∩∪∫∴∼≅≈≠≡≤≥⊂⊃⊄⊆⊇⊕⊗⊥⋅⌈⌉⌊⌋〈〉◊♠♣♥♦
 3: aŒbœcŠdše€fg
 4: föo
-5: mb_encode_numericentity(): Argument #2 ($map) must have a multiple of 4 elements
 6: �
 6 (hex): �
 7: föo

ext/mbstring/tests/mb_encode_numericentity_errors.phpt

@@ -0,0 +1,23 @@
+--TEST--
+mb_encode_numericentity() map errors
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+try {
+    $convmap = array(0xFF, 0x2FFFF, 0); // 3 elements
+    echo mb_encode_numericentity('str', $convmap, "UTF-8") . "\n";
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+try {
+    $convmap = array(0xFF, "not an int", 0, 0); // 3 elements
+    echo mb_encode_numericentity('str', $convmap, "UTF-8") . "\n";
+} catch (ValueError $ex) {
+    echo $ex->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+mb_encode_numericentity(): Argument #2 ($map) must have a multiple of 4 elements
+mb_encode_numericentity(): Argument #2 ($map) must only be composed of values of type int