Fix legacy conversion filter for ISO-2022-KR

alexdowad · alexdowad · commit c8e4f313fa17 · 2022-07-18T15:11:31.000+02:00
When I was working on this code before, it really, really
looked like the index into `uhc3_ucs_table` could never
overrun the size of the table. Why did I get this wrong?
Don't know. Anyways, libfuzzer tore away my illusions
and unequivocally demonstrated that the index CAN be
larger than the size of the table.
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c
@@ -125,8 +125,11 @@ int mbfl_filt_conv_2022kr_wchar(int c, mbfl_convert_filter *filter)
 				}
 			} else {
 				w = (c1 - 0x47)*94 + c - 0x21;
-				ZEND_ASSERT(w < uhc3_ucs_table_size);
-				w = uhc3_ucs_table[w];
+				if (w < uhc3_ucs_table_size) {
+					w = uhc3_ucs_table[w];
+				} else {
+					w = MBFL_BAD_INPUT;
+				}
 			}
 
 			if (w <= 0) {

Original file line number	Diff line number	Diff line change
`@@ -125,8 +125,11 @@ int mbfl_filt_conv_2022kr_wchar(int c, mbfl_convert_filter *filter)`
`125`	`125`	`}`
`126`	`126`	`} else {`
`127`	`127`	`w = (c1 - 0x47)*94 + c - 0x21;`
`128`		`- ZEND_ASSERT(w < uhc3_ucs_table_size);`
`129`		`- w = uhc3_ucs_table[w];`
	`128`	`+ if (w < uhc3_ucs_table_size) {`
	`129`	`+ w = uhc3_ucs_table[w];`
	`130`	`+ } else {`
	`131`	`+ w = MBFL_BAD_INPUT;`
	`132`	`+ }`
`130`	`133`	`}`
`131`	`134`
`132`	`135`	`if (w <= 0) {`