The change reduces the input size on patterns using posix character
classes. It is still better than reverting to the patterns from the
older version, as the upstream data uses posix classes also in the later
versions. The input reduction speeds up the pattern matching in some
cases.
This patch is functionally almost same as upstream, but might show some diff
when the input is very long. While the magic data in the newer versions is
functionally an improvement, with jit=0 it might show a performance regression.
The slowdown is negligible in the normal usage and is still acceptable for the
malicious input. If some functional regressions show up, this patch should be
reverted and the tests timing should be adapted instead.
If the `ICONV_MIME_DECODE_CONTINUE_ON_ERROR` flag is set, parsing
should not fail, if there are illegal characters in the headers;
instead we silently ignore these like before.
Avoid patching where vanilla data suffices. More precisely, avoid data
using [:space:] posix class in regex, as it is likely to cause performance
regressions.
CVE-2014-3538 was fixed upstream, but the old patch was still kept in
the PHP port. This patch causes performance regressions when PCRE JIT is
not enabled. This is fixed by applying the relevant original code from
the newer libmagic, which makes the old patch obsolete as the
CVE-2014-3538 tests still pass.
The pcre2_jit_compile_8 sysmbol is always available, even JIT might be
not. If JIT is not enabled explicitly and is enabled in the PHP runtime,
this will lead to a malfunction. This approach ensures JIT is indeed
available on the given platform. For cross compilation this might get
complicated, as it would require an explicit processor architecture and
PCRE2 version check.
Another solution for this case is to run pcre2_config at runtime. That
however would require more condition checks that would impact
architectures where JIT is available.
If the callback set via `xml_set_external_entity_ref_handler()` returns
a falsy value, parsing is supposed to stop and the error number set to
`XML_ERROR_EXTERNAL_ENTITY_HANDLING`. This is already correctly done
by the libexpat binding, but the libxml2 binding ignores the return
value. We fix this by calling `xmlStopParser()` which is available as
of libxml 2.1.0[1] (PHP-7.1 requires at least libxml 2.6.11 anyway),
and setting the desired `errNo` ourselves.
[1] <http://xmlsoft.org/news.html>
