archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix legacy text conversion filter for 'HTML-ENTITIES'

Browse source 
Because this routine used a signed char buffer to hold the bytes
in a (possible) HTML entity, any bytes with the MSB set would
be sign-extended when converting to int; for example, 0x86 would
become 0xFFFFFF86 (or -121).

Codepoints with huge values, like 0xFFFFFF86, are not valid and
if any were passed to the output filter, it would treat them
as errors and emit error markers.
This commit is contained in:
Alex Dowad 2022-08-10 20:33:10 +02:00
parent d9269becca
commit d617fcaae2
1 changed files with 3 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
View file

@ -180,7 +180,7 @@ int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter)
int pos;
unsigned int ent = 0;
mbfl_html_entity_entry *entity;
char *buffer = (char*)filter->opaque;
unsigned char *buffer = (unsigned char*)filter->opaque;
if (!filter->status) {
if (c == '&' ) {
@ -196,7 +196,7 @@ int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter)
if (filter->status > 3) {
/* numeric entity */
for (pos=3; pos<filter->status; pos++) {
int v = buffer[pos];
int v = buffer[pos];
if (v >= '0' && v <= '9') {
v = v - '0';
} else if (v >= 'A' && v <= 'F') {
@ -242,13 +242,12 @@ int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter)
CK((*filter->output_function)(c, filter->data));
}
filter->status = 0;
/*php_error_docref("ref.mbstring", E_NOTICE, "mbstring decoded '%s'=%d", buffer, ent);*/
} else {
/* named entity */
buffer[filter->status] = 0;
entity = (mbfl_html_entity_entry *)mbfl_html_entity_list;
while (entity->name) {
if (!strcmp(buffer+1, entity->name)) {
if (!strcmp((const char*)buffer+1, entity->name)) {
ent = entity->code;
break;
}