Fix GHSA-r977-prxv-hc43

Move the bound check upwards. Since this doesn't generate output we can check the bound first.
2026-03-24 08:12:21 +01:00 · 2024-11-08 22:04:21 +01:00
parent 6c0e2eb2f8
commit a6c84cd7ef
2 changed files with 16 additions and 3 deletions
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -996,6 +996,9 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
 			} break;

 			case 5: {
+				if (icnt == 0) {
+					goto out;
+				}
 				if (!inst->lbchars && lb_cnt == 1 && *ps == '\n') {
 					/* auto-detect soft line breaks, found network line break */
 					lb_cnt = lb_ptr = 0;
@@ -1009,15 +1012,13 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
 					/* soft line break */
 					lb_cnt = lb_ptr = 0;
 					scan_stat = 0;
-				} else if (icnt > 0) {
+				} else {
 					if (*ps == (unsigned char)inst->lbchars[lb_cnt]) {
 						lb_cnt++;
 						ps++, icnt--;
 					} else {
 						scan_stat = 6; /* no break for short-cut */
 					}
-				} else {
-					goto out;
 				}
 			} break;

--- a/ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt
+++ b/ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt