From 4997ceb24e0e29272b1c4f12a701f96413085a12 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri, 24 Mar 2023 15:19:58 +0100
Subject: [PATCH] Fix buffer-overflow in php_fgetcsv() when delimiter and
 enclosure are null byte

Fixes oss-fuzz #57392
---
 ext/standard/file.c                    |  2 +-
 ext/standard/tests/oss_fuzz_57392.phpt | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/oss_fuzz_57392.phpt

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 4c31ee0eae66..548bcc7a37ca 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2088,7 +2088,7 @@ PHPAPI void php_fgetcsv(php_stream *stream, char delimiter, char enclosure, int
 			while ((*tmp != delimiter) && isspace((int)*(unsigned char *)tmp)) {
 				tmp++;
 			}
-			if (*tmp == enclosure) {
+			if (*tmp == enclosure && tmp < limit) {
 				bptr = tmp;
 			}
 		}
diff --git a/ext/standard/tests/oss_fuzz_57392.phpt b/ext/standard/tests/oss_fuzz_57392.phpt
new file mode 100644
index 000000000000..a7f7a466c0e0
--- /dev/null
+++ b/ext/standard/tests/oss_fuzz_57392.phpt
@@ -0,0 +1,17 @@
+--TEST--
+oss-fuzz #57392: str_getcsv() with null byte as delimiter and enclosure
+--FILE--
+<?php
+var_dump(str_getcsv(
+    "aaaaaaaaaaaa\0  ",
+    "\0",
+    "\0",
+));
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(12) "aaaaaaaaaaaa"
+  [1]=>
+  string(2) "  "
+}