Fix bug #66873: check if obj->src is set

2024-09-22 02:17:32 +00:00 · 2014-03-17 01:17:09 -07:00 · 2014-03-17 01:17:09 -07:00 · 66bf216c66
commit 66bf216c66
parent 80fa2ff646
3 changed files with 32 additions and 7 deletions
--- a/6
+++ b/6
@ -29,11 +29,15 @@ PHP                                                                        NEWS
  . hash_pbkdf2() now works correctly if the $length argument is not specified.
    (Nikita)

+- Intl:
+  . Fixed bug #66873 (A reproductible crash in UConverter when given invalid 
+    encoding) (Stas)
+
 - Mail:
  . Fixed bug #66535 (Don't add newline after X-PHP-Originating-Script) (Tjerk)

 - MySQLi:
-  . Fixed bug #66762i (Segfault in mysqli_stmt::bind_result() when link closed)
+  . Fixed bug #66762 (Segfault in mysqli_stmt::bind_result() when link closed)
  (Remi)

 - OPCache
--- a/ext/intl/converter/converter.c
+++ b/ext/intl/converter/converter.c
@ -57,6 +57,8 @@ static inline void php_converter_throw_failure(php_converter_object *objval, UEr

 /* {{{ php_converter_default_callback */
 static void php_converter_default_callback(zval *return_value, zval *zobj, long reason, zval *error TSRMLS_DC) {
+	zval_dtor(error);
+	ZVAL_LONG(error, U_ZERO_ERROR);
 	/* Basic functionality so children can call parent::toUCallback() */
 	switch (reason) {
 		case UCNV_UNASSIGNED:
@ -66,7 +68,16 @@ static void php_converter_default_callback(zval *return_value, zval *zobj, long
 			php_converter_object *objval = (php_converter_object*)CONV_GET(zobj);
 			char chars[127];
 			int8_t chars_len = sizeof(chars);
-			UErrorCode error = U_ZERO_ERROR;
+			UErrorCode uerror = U_ZERO_ERROR;
+            if(!objval->src) {
+                php_converter_throw_failure(objval, U_INVALID_STATE_ERROR TSRMLS_CC, "Source Converter has not been initialized yet");
+				chars[0] = 0x1A;
+				chars[1] = 0;
+				chars_len = 1;
+                ZVAL_LONG(error, U_INVALID_STATE_ERROR);
+                RETVAL_STRINGL(chars, chars_len, 1);
+                return;
+            }

 			/* Yes, this is fairly wasteful at first glance,
 			 * but considering that the alternative is to store
@ -75,18 +86,17 @@ static void php_converter_default_callback(zval *return_value, zval *zobj, long
 			 * I'd rather take the CPU hit here, than waste time
 			 * storing a value I'm unlikely to use.
 			 */
-			ucnv_getSubstChars(objval->src, chars, &chars_len, &error);
-			if (U_FAILURE(error)) {
-				THROW_UFAILURE(objval, "ucnv_getSubstChars", error);
+			ucnv_getSubstChars(objval->src, chars, &chars_len, &uerror);
+			if (U_FAILURE(uerror)) {
+				THROW_UFAILURE(objval, "ucnv_getSubstChars", uerror);
 				chars[0] = 0x1A;
 				chars[1] = 0;
 				chars_len = 1;
+            	ZVAL_LONG(error, uerror);
 			}
 			RETVAL_STRINGL(chars, chars_len, 1);
 		}
 	}
-	zval_dtor(error);
-	ZVAL_LONG(error, U_ZERO_ERROR);
 }
 /* }}} */

--- a/ext/intl/tests/uconverter_bug66873.phpt
+++ b/ext/intl/tests/uconverter_bug66873.phpt
@ -0,0 +1,11 @@
+--TEST--
+Bug #66873 - crash in UConverter with invalid encoding
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+    $o = new UConverter(1, 1);
+    $o->toUCallback(1, 1, 1, $b);
+    var_dump($o->getErrorCode());
+--EXPECT--
+int(27)