From 9be31a582a83c38cdace9d54778398bc9fe0c7a9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 22 Jan 2020 10:25:37 +0100
Subject: [PATCH] Fix #79154: mb_convert_encoding() can modify $from_encoding

We must not modify arrays passed by value.
---
 NEWS                             |  3 +++
 ext/mbstring/mbstring.c          |  9 ++++-----
 ext/mbstring/tests/bug79154.phpt | 34 ++++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 ext/mbstring/tests/bug79154.phpt

diff --git a/NEWS b/NEWS
index 3fd5bb055c1..bbb3c919d1d 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
   . Fixed bug #79078 (Hypothetical use-after-free in curl_multi_add_handle()).
     (cmb)
 
+- MBString:
+  . Fixed bug #79154 (mb_convert_encoding() can modify $from_encoding). (cmb)
+
 - MySQLnd:
   . Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
     (cmb)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index a42373e5cb4..d227bb278a0 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3232,17 +3232,16 @@ PHP_FUNCTION(mb_convert_encoding)
 				_from_encodings = NULL;
 
 				ZEND_HASH_FOREACH_VAL(target_hash, hash_entry) {
-
-					convert_to_string_ex(hash_entry);
+					zend_string *encoding_str = zval_get_string(hash_entry);
 
 					if ( _from_encodings) {
 						l = strlen(_from_encodings);
-						n = strlen(Z_STRVAL_P(hash_entry));
+						n = strlen(ZSTR_VAL(encoding_str));
 						_from_encodings = erealloc(_from_encodings, l+n+2);
 						memcpy(_from_encodings + l, ",", 1);
-						memcpy(_from_encodings + l + 1, Z_STRVAL_P(hash_entry), Z_STRLEN_P(hash_entry) + 1);
+						memcpy(_from_encodings + l + 1, ZSTR_VAL(encoding_str), ZSTR_LEN(encoding_str) + 1);
 					} else {
-						_from_encodings = estrdup(Z_STRVAL_P(hash_entry));
+						_from_encodings = estrdup(ZSTR_VAL(encoding_str));
 					}
 				} ZEND_HASH_FOREACH_END();
 
diff --git a/ext/mbstring/tests/bug79154.phpt b/ext/mbstring/tests/bug79154.phpt
new file mode 100644
index 00000000000..dafac1bd5da
--- /dev/null
+++ b/ext/mbstring/tests/bug79154.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug 79154 (mb_convert_encoding() can modify $from_encoding)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('mbstring extension not available');
+?>
+--FILE--
+<?php
+class Utf8Encoding
+{
+    public function __toString()
+    {
+        return 'UTF-8';
+    }
+}
+
+$utf8encoding = new Utf8Encoding();
+$encodings = [$utf8encoding];
+var_dump($encodings);
+mb_convert_encoding('foo', 'UTF-8', $encodings);
+var_dump($encodings);
+
+?>
+--EXPECTF--
+array(1) {
+  [0]=>
+  object(Utf8Encoding)#%d (0) {
+  }
+}
+array(1) {
+  [0]=>
+  object(Utf8Encoding)#%d (0) {
+  }
+}