Assert minimum size of wchar buffer in text conversion filters

In all text conversion filters which require the wchar buffer used for output
to have some minimum size, it's better to include an assertion; this will
help us to catch bugs, and will also help future readers to understand what
we expect of the function arguments.

For UTF-7 and UTF7-IMAP, these assertions were already there, but I have
added comments explaining why the minimum size is what it is.

Author: alexdowad

ext/mbstring/libmbfl/filters/mbfilter_cp5022x.c

@@ -640,6 +640,8 @@ static int mbfl_filt_conv_wchar_cp50222_flush(mbfl_convert_filter *filter)
 
 static size_t mb_cp5022x_to_wchar(unsigned char **in, size_t *in_len, uint32_t *buf, size_t bufsize, unsigned int *state)
 {
+	ZEND_ASSERT(bufsize >= 3);
+
 	unsigned char *p = *in, *e = p + *in_len;
 	uint32_t *out = buf, *limit = buf + bufsize;
 

ext/mbstring/libmbfl/filters/mbfilter_jis.c

@@ -463,6 +463,8 @@ mbfl_filt_conv_any_jis_flush(mbfl_convert_filter *filter)
 
 static size_t mb_iso2022jp_to_wchar(unsigned char **in, size_t *in_len, uint32_t *buf, size_t bufsize, unsigned int *state)
 {
+	ZEND_ASSERT(bufsize >= 3);
+
 	unsigned char *p = *in, *e = p + *in_len;
 	uint32_t *out = buf, *limit = buf + bufsize;
 

ext/mbstring/libmbfl/filters/mbfilter_sjis_mac.c

@@ -667,6 +667,9 @@ mbfl_filt_conv_wchar_sjis_mac_flush(mbfl_convert_filter *filter)
 
 static size_t mb_sjismac_to_wchar(unsigned char **in, size_t *in_len, uint32_t *buf, size_t bufsize, unsigned int *state)
 {
+	/* A single SJIS-Mac kuten code can convert to up to 5 Unicode codepoints, oh my! */
+	ZEND_ASSERT(bufsize >= 5);
+
 	unsigned char *p = *in, *e = p + *in_len;
 	uint32_t *out = buf, *limit = buf + bufsize;
 

ext/mbstring/libmbfl/filters/mbfilter_utf7.c

@@ -480,6 +480,13 @@ static size_t mb_utf7_to_wchar(unsigned char **in, size_t *in_len, uint32_t *buf
 {
 	ZEND_ASSERT(bufsize >= 5); /* This function will infinite-loop if called with a tiny output buffer */
 
+	/* Why does this require a minimum output buffer size of 5?
+	 * There is one case where one iteration of the main 'while' loop below will emit 5 wchars:
+	 * that is if the first half of a surrogate pair is followed by an otherwise valid codepoint which
+	 * is not the 2nd half of a surrogate pair, then another valid codepoint, then the Base64-encoded
+	 * section ends with a byte which is not a valid Base64 character, AND which also is not in a
+	 * position where we would expect the Base64-encoded section to end */
+
 	unsigned char *p = *in, *e = p + *in_len;
 	uint32_t *out = buf, *limit = buf + bufsize;
 

ext/mbstring/libmbfl/filters/mbfilter_utf7imap.c

@@ -505,6 +505,10 @@ static size_t mb_utf7imap_to_wchar(unsigned char **in, size_t *in_len, uint32_t
 {
 	ZEND_ASSERT(bufsize >= 5); /* This function will infinite-loop if called with a tiny output buffer */
 
+	/* Why does this require a minimum output buffer size of 5?
+	 * See comment in mb_utf7_to_wchar; the worst case for this function is similar,
+	 * though not exactly the same. */
+
 	unsigned char *p = *in, *e = p + *in_len;
 	/* Always leave one empty space in output buffer in case the string ends while
 	 * in Base64 mode and we need to emit an error marker */

ext/mbstring/libmbfl/filters/mbfilter_uuencode.c

@@ -167,6 +167,8 @@ int mbfl_filt_conv_uudec(int c, mbfl_convert_filter *filter)
 
 static size_t mb_uuencode_to_wchar(unsigned char **in, size_t *in_len, uint32_t *buf, size_t bufsize, unsigned int *state)
 {
+	ZEND_ASSERT(bufsize >= 3);
+
 	unsigned char *p = *in, *e = p + *in_len;
 	uint32_t *out = buf, *limit = buf + bufsize;