Fix crashes in enchant when passing null bytes

See https://github.com/php/php-src/pull/17393#discussion_r1907660137 Closes GH-17407.
2026-04-27 01:48:26 +02:00 · 2025-01-08 20:14:46 +01:00
parent 1235c74828
commit 783ecad82e
3 changed files with 84 additions and 11 deletions
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.17

+- Enchant:
+  . Fix crashes in enchant when passing null bytes. (nielsdos)
+
 - FTP:
  . Fixed bug GH-16800 (ftp functions can abort with EINTR). (nielsdos)

@@ -339,7 +339,7 @@ PHP_FUNCTION(enchant_broker_set_dict_path)
 	char *value;
 	size_t value_len;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Ols", &broker, enchant_broker_ce, &dict_type, &value, &value_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Olp", &broker, enchant_broker_ce, &dict_type, &value, &value_len) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -440,7 +440,7 @@ PHP_FUNCTION(enchant_broker_request_dict)
 	char *tag;
 	size_t taglen;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &broker, enchant_broker_ce, &tag, &taglen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &broker, enchant_broker_ce, &tag, &taglen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -534,7 +534,7 @@ PHP_FUNCTION(enchant_broker_dict_exists)
 	size_t taglen;
 	enchant_broker * pbroker;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &broker, enchant_broker_ce,  &tag, &taglen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &broker, enchant_broker_ce,  &tag, &taglen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -559,7 +559,7 @@ PHP_FUNCTION(enchant_broker_set_ordering)
 	size_t ptaglen;
 	enchant_broker * pbroker;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oss", &broker, enchant_broker_ce, &ptag, &ptaglen, &pordering, &porderinglen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Opp", &broker, enchant_broker_ce, &ptag, &ptaglen, &pordering, &porderinglen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -597,7 +597,7 @@ PHP_FUNCTION(enchant_dict_quick_check)
 	size_t wordlen;
 	enchant_dict *pdict;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os|z", &dict, enchant_dict_ce, &word, &wordlen, &sugg) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op|z", &dict, enchant_dict_ce, &word, &wordlen, &sugg) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -642,7 +642,7 @@ PHP_FUNCTION(enchant_dict_check)
 	size_t wordlen;
 	enchant_dict *pdict;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -662,7 +662,7 @@ PHP_FUNCTION(enchant_dict_suggest)
 	enchant_dict *pdict;
 	size_t n_sugg;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -690,7 +690,7 @@ PHP_FUNCTION(enchant_dict_add)
 	size_t wordlen;
 	enchant_dict *pdict;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -708,7 +708,7 @@ PHP_FUNCTION(enchant_dict_add_to_session)
 	size_t wordlen;
 	enchant_dict *pdict;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -726,7 +726,7 @@ PHP_FUNCTION(enchant_dict_is_added)
 	size_t wordlen;
 	enchant_dict *pdict;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Os", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Op", &dict, enchant_dict_ce, &word, &wordlen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -748,7 +748,7 @@ PHP_FUNCTION(enchant_dict_store_replacement)

 	enchant_dict *pdict;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oss", &dict, enchant_dict_ce, &mis, &mislen, &cor, &corlen) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Opp", &dict, enchant_dict_ce, &mis, &mislen, &cor, &corlen) == FAILURE) {
 		RETURN_THROWS();
 	}

@@ -0,0 +1,70 @@
+--TEST--
+null bytes
+--EXTENSIONS--
+enchant
+--SKIPIF--
+<?php
+$broker = enchant_broker_init();
+if (!enchant_broker_list_dicts($broker)) die("skip No broker dicts installed");
+?>
+--FILE--
+<?php
+
+$broker = enchant_broker_init();
+$dicts = enchant_broker_list_dicts($broker);
+$requestDict = enchant_broker_request_dict($broker, $dicts[0]['lang_tag']);
+
+$two_params_broker = [
+    "enchant_broker_request_dict",
+    "enchant_broker_dict_exists",
+];
+
+$two_params_dict = [
+    "enchant_dict_quick_check",
+    "enchant_dict_check",
+    "enchant_dict_suggest",
+    "enchant_dict_add",
+    "enchant_dict_add_to_session",
+    "enchant_dict_is_added",
+];
+
+foreach ($two_params_broker as $func) {
+    try {
+        $func($broker, "foo\0bar");
+    } catch (ValueError $e) {
+        echo $e->getMessage(), "\n";
+    }
+}
+
+foreach ($two_params_dict as $func) {
+    try {
+        $func($requestDict, "foo\0bar");
+    } catch (ValueError $e) {
+        echo $e->getMessage(), "\n";
+    }
+}
+
+try {
+    var_dump(enchant_broker_set_ordering($broker, "foo\0bar", "foo\0bar"));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    var_dump(enchant_dict_store_replacement($requestDict, "foo\0bar", "foo\0bar"));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+enchant_broker_request_dict(): Argument #2 ($tag) must not contain any null bytes
+enchant_broker_dict_exists(): Argument #2 ($tag) must not contain any null bytes
+enchant_dict_quick_check(): Argument #2 ($word) must not contain any null bytes
+enchant_dict_check(): Argument #2 ($word) must not contain any null bytes
+enchant_dict_suggest(): Argument #2 ($word) must not contain any null bytes
+enchant_dict_add(): Argument #2 ($word) must not contain any null bytes
+enchant_dict_add_to_session(): Argument #2 ($word) must not contain any null bytes
+enchant_dict_is_added(): Argument #2 ($word) must not contain any null bytes
+enchant_broker_set_ordering(): Argument #2 ($tag) must not contain any null bytes
+enchant_dict_store_replacement(): Argument #2 ($misspelled) must not contain any null bytes