Add assertions to help catch buffer overflows in mbstring text conversion code

alexdowad · alexdowad · commit a38c7e5703bb · 2022-05-08T14:59:57.000+02:00
diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_convert.c b/ext/mbstring/libmbfl/mbfl/mbfl_convert.c
@@ -360,6 +360,7 @@ zend_string* mb_fast_convert(zend_string *str, const mbfl_encoding *from, const
 
 	while (in_len) {
 		size_t out_len = from->to_wchar(&in, &in_len, wchar_buf, 128, &state);
+		ZEND_ASSERT(out_len <= 128);
 		to->from_wchar(wchar_buf, out_len, &buf, !in_len);
 	}
 
diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_encoding.h b/ext/mbstring/libmbfl/mbfl/mbfl_encoding.h
@@ -154,6 +154,7 @@ static inline void mb_convert_buf_init(mb_convert_buf *buf, size_t initsize, uin
 }
 
 #define MB_CONVERT_BUF_ENSURE(buf, out, limit, needed) \
+	ZEND_ASSERT(out <= limit); \
 	if ((limit - out) < (needed)) { \
 		size_t oldsize = limit - (unsigned char*)ZSTR_VAL(buf->str); \
 		size_t newsize = oldsize + MAX(oldsize >> 1, needed); \

Original file line number	Diff line number	Diff line change
`@@ -360,6 +360,7 @@ zend_string* mb_fast_convert(zend_string str, const mbfl_encoding from, const`
`360`	`360`
`361`	`361`	`while (in_len) {`
`362`	`362`	`size_t out_len = from->to_wchar(&in, &in_len, wchar_buf, 128, &state);`
	`363`	`+ ZEND_ASSERT(out_len <= 128);`
`363`	`364`	`to->from_wchar(wchar_buf, out_len, &buf, !in_len);`
`364`	`365`	`}`
`365`	`366`
Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,7 @@ static inline void mb_convert_buf_init(mb_convert_buf *buf, size_t initsize, uin`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`#define MB_CONVERT_BUF_ENSURE(buf, out, limit, needed) \`
	`157`	`+ ZEND_ASSERT(out <= limit); \`
`157`	`158`	`if ((limit - out) < (needed)) { \`
`158`	`159`	`size_t oldsize = limit - (unsigned char*)ZSTR_VAL(buf->str); \`
`159`	`160`	`size_t newsize = oldsize + MAX(oldsize >> 1, needed); \`