Merge remote-tracking branch 'security/bug76249' into PHP-5.6

smalyshev · smalyshev · commit 58b00039759b · 2018-04-23T13:44:19.000-07:00
* security/bug76249:
  Fix test
  Fix bug #76249 - fail on invalid sequences
diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
@@ -2672,6 +2672,9 @@ static int php_iconv_stream_filter_append_bucket(
 								tcnt = 0;
 								break;
 							}
+						} else {
+						    php_error_docref(NULL, E_WARNING, "iconv stream filter (\"%s\"=>\"%s\"): invalid multibyte sequence", self->from_charset, self->to_charset);
+						    goto out_failure;
 						}
 						break;
 
diff --git a/ext/iconv/tests/bug76249.phpt b/ext/iconv/tests/bug76249.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$fh = fopen('php://memory', 'rw');
+fwrite($fh, "abc");
+rewind($fh);
+stream_filter_append($fh, 'convert.iconv.ucs-2/utf8//IGNORE', STREAM_FILTER_READ, []);
+$a = stream_get_contents($fh);
+var_dump(strlen($a));
+?>
+DONE
+--EXPECTF--
+Warning: stream_get_contents(): iconv stream filter ("ucs-2"=>"utf8//IGNORE"): invalid multibyte sequence in %sbug76249.php on line %d
+int(3)
+DONE

Original file line number	Diff line number	Diff line change
`@@ -2672,6 +2672,9 @@ static int php_iconv_stream_filter_append_bucket(`
`2672`	`2672`	`tcnt = 0;`
`2673`	`2673`	`break;`
`2674`	`2674`	`}`
	`2675`	`+ } else {`
	`2676`	`+ php_error_docref(NULL, E_WARNING, "iconv stream filter (\"%s\"=>\"%s\"): invalid multibyte sequence", self->from_charset, self->to_charset);`
	`2677`	`+ goto out_failure;`
`2675`	`2678`	`}`
`2676`	`2679`	`break;`
`2677`	`2680`