From c8e4f313fa17976bd68b676d7f5df88f8eaaab5b Mon Sep 17 00:00:00 2001 From: Alex Dowad Date: Thu, 30 Jun 2022 14:05:17 +0200 Subject: [PATCH] Fix legacy conversion filter for ISO-2022-KR When I was working on this code before, it really, really looked like the index into `uhc3_ucs_table` could never overrun the size of the table. Why did I get this wrong? Don't know. Anyways, libfuzzer tore away my illusions and unequivocally demonstrated that the index CAN be larger than the size of the table. --- ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c index b92b8491cc9..f6a95175abc 100644 --- a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c +++ b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c @@ -125,8 +125,11 @@ int mbfl_filt_conv_2022kr_wchar(int c, mbfl_convert_filter *filter) } } else { w = (c1 - 0x47)*94 + c - 0x21; - ZEND_ASSERT(w < uhc3_ucs_table_size); - w = uhc3_ucs_table[w]; + if (w < uhc3_ucs_table_size) { + w = uhc3_ucs_table[w]; + } else { + w = MBFL_BAD_INPUT; + } } if (w <= 0) {