Merge branch 'PHP-7.1'

Yasuo Ohgaki · Yasuo Ohgaki · commit 96e59a200e63 · 2016-09-06T18:22:04.000+09:00
* PHP-7.1:
  Fixed Bug #66964 mb_convert_variables() cannot detect recursion
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -3862,6 +3862,7 @@ PHP_FUNCTION(mb_convert_variables)
 	const mbfl_encoding **elist;
 	char *to_enc;
 	void *ptmp;
+	int recursion_error = 0;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz+", &to_enc, &to_enc_len, &zfrom_enc, &args, &argc) == FAILURE) {
 		return;
@@ -3926,6 +3927,11 @@ PHP_FUNCTION(mb_convert_variables)
 					target_hash = HASH_OF(var);
 					if (target_hash != NULL) {
 						while ((hash_entry = zend_hash_get_current_data(target_hash)) != NULL) {
+							if (++target_hash->u.v.nApplyCount > 1) {
+								--target_hash->u.v.nApplyCount;
+								recursion_error = 1;
+								goto detect_end;
+							}
 							zend_hash_move_forward(target_hash);
 							if (Z_TYPE_P(hash_entry) == IS_INDIRECT) {
 								hash_entry = Z_INDIRECT_P(hash_entry);
@@ -3966,6 +3972,19 @@ PHP_FUNCTION(mb_convert_variables)
 			from_encoding = mbfl_encoding_detector_judge2(identd);
 			mbfl_encoding_detector_delete(identd);
 		}
+		if (recursion_error) {
+			while(stack_level-- && (var = &stack[stack_level])) {
+				if (HASH_OF(var)->u.v.nApplyCount > 1) {
+					HASH_OF(var)->u.v.nApplyCount--;
+				}
+			}
+			efree(stack);
+			if (elist != NULL) {
+				efree((void *)elist);
+			}
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot handle recursive references");
+			RETURN_FALSE;
+		}
 		efree(stack);
 
 		if (!from_encoding) {
@@ -4020,6 +4039,11 @@ PHP_FUNCTION(mb_convert_variables)
 						hash_entry = hash_entry_ptr;
 						ZVAL_DEREF(hash_entry);
 						if (Z_TYPE_P(hash_entry) == IS_ARRAY || Z_TYPE_P(hash_entry) == IS_OBJECT) {
+							if (++(HASH_OF(hash_entry)->u.v.nApplyCount) > 1) {
+								--(HASH_OF(hash_entry)->u.v.nApplyCount);
+								recursion_error = 1;
+								goto conv_end;
+							}
 							if (stack_level >= stack_max) {
 								stack_max += PHP_MBSTR_STACK_BLOCK_SIZE;
 								ptmp = erealloc(stack, sizeof(zval) * stack_max);
@@ -4059,10 +4083,22 @@ PHP_FUNCTION(mb_convert_variables)
 				}
 			}
 		}
-		efree(stack);
 
+conv_end:
 		MBSTRG(illegalchars) += mbfl_buffer_illegalchars(convd);
 		mbfl_buffer_converter_delete(convd);
+
+		if (recursion_error) {
+			while(stack_level-- && (var = &stack[stack_level])) {
+				if (HASH_OF(var)->u.v.nApplyCount > 1) {
+					HASH_OF(var)->u.v.nApplyCount--;
+				}
+			}
+			efree(stack);
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot handle recursive references");
+			RETURN_FALSE;
+		}
+		efree(stack);
 	}
 
 	if (from_encoding) {
diff --git a/ext/mbstring/tests/bug66964.phpt b/ext/mbstring/tests/bug66964.phpt
@@ -0,0 +1,53 @@
+--TEST--
+Bug #66964 (mb_convert_variables() cannot detect recursion)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+$a[] = &$a;
+var_dump(mb_convert_variables('utf-8', 'auto', $a));
+var_dump(mb_convert_variables('utf-8', 'utf-8', $a));
+
+unset($a);
+$a[] = '日本語テキスト';
+$a[] = '日本語テキスト';
+$a[] = '日本語テキスト';
+$a[] = '日本語テキスト';
+var_dump(mb_convert_variables('utf-8', 'utf-8', $a), $a);
+
+$a[] = &$a;
+var_dump(mb_convert_variables('utf-8', 'utf-8', $a), $a);
+
+?>
+--EXPECTF--
+Warning: mb_convert_variables(): %s on line %d
+bool(false)
+
+Warning: mb_convert_variables(): %s on line %d
+bool(false)
+string(5) "UTF-8"
+array(4) {
+  [0]=>
+  string(21) "日本語テキスト"
+  [1]=>
+  string(21) "日本語テキスト"
+  [2]=>
+  string(21) "日本語テキスト"
+  [3]=>
+  string(21) "日本語テキスト"
+}
+
+Warning: mb_convert_variables(): %s on line %d
+bool(false)
+array(5) {
+  [0]=>
+  string(21) "日本語テキスト"
+  [1]=>
+  string(21) "日本語テキスト"
+  [2]=>
+  string(21) "日本語テキスト"
+  [3]=>
+  string(21) "日本語テキスト"
+  [4]=>
+  *RECURSION*
+}
