Merge branch 'PHP-8.1' into PHP-8.2

* PHP-8.1: Fix buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure
2025-08-16 05:58:45 +02:00 · 2023-03-25 17:43:07 +01:00 · 2023-03-25 17:43:07 +01:00 · c5fe6c2eb9
commit c5fe6c2eb9
parent 834e295f49 57029ce92e
3 changed files with 20 additions and 1 deletions
--- a/2
+++ b/2
@ -71,6 +71,8 @@ PHP                                                                        NEWS
  . Fixed bug GH-10885 (stream_socket_server context leaks). (ilutov)
  . Fixed bug GH-10052 (Browscap crashes PHP 8.1.12 on request shutdown
    (apache2)). (nielsdos)
+  . Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with \0 delimiter
+    and enclosure). (ilutov)

 16 Mar 2023, PHP 8.2.4

--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@ -1970,7 +1970,7 @@ PHPAPI HashTable *php_fgetcsv(php_stream *stream, char delimiter, char enclosure
 			while ((*tmp != delimiter) && isspace((int)*(unsigned char *)tmp)) {
 				tmp++;
 			}
-			if (*tmp == enclosure) {
+			if (*tmp == enclosure && tmp < limit) {
 				bptr = tmp;
 			}
 		}
--- a/ext/standard/tests/oss_fuzz_57392.phpt
+++ b/ext/standard/tests/oss_fuzz_57392.phpt
@ -0,0 +1,17 @@
+--TEST--
+oss-fuzz #57392: Buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure
+--FILE--
+<?php
+var_dump(str_getcsv(
+    "aaaaaaaaaaaa\0  ",
+    "\0",
+    "\0",
+));
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(12) "aaaaaaaaaaaa"
+  [1]=>
+  string(2) "  "
+}