PHP bug #79371

0001-Fix-79371-mb_strtolower-UTF-32LE-stack-buffer-overfl.patch

From c346b0f05247708a24707446ba014a7a8a567448 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 12 Mar 2020 13:04:04 +0100
Subject: [PATCH] Fix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow

We make sure that negative values are properly compared.
---
 ext/mbstring/php_unicode.c       |  2 +-
 ext/mbstring/tests/bug79371.phpt | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 ext/mbstring/tests/bug79371.phpt

diff --git a/ext/mbstring/php_unicode.c b/ext/mbstring/php_unicode.c
index 664f760fc3..4fa650d894 100644
--- a/ext/mbstring/php_unicode.c
+++ b/ext/mbstring/php_unicode.c
@@ -315,7 +315,7 @@ static int convert_case_filter(int c, void *void_data)
 
 	/* Handle invalid characters early, as we assign special meaning to
 	 * codepoints above 0xffffff. */
-	if (UNEXPECTED(c > 0xffffff)) {
+	if (UNEXPECTED((unsigned) c > 0xffffff)) {
 		(*data->next_filter->filter_function)(c, data->next_filter);
 		return 0;
 	}
diff --git a/ext/mbstring/tests/bug79371.phpt b/ext/mbstring/tests/bug79371.phpt
new file mode 100644
index 0000000000..3014feba53
--- /dev/null
+++ b/ext/mbstring/tests/bug79371.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+?>
+--FILE--
+<?php
+$bytes = array(0xef, 0xbf, 0xbd, 0xef);
+$str = implode(array_map("chr", $bytes));
+var_dump(bin2hex(mb_strtolower($str, "UTF-32LE")));
+?>
+--EXPECT--
+string(8) "3f000000"
-- 
2.25.1.windows.1