In legacy text conversion filters, reset filter state in 'flush' function

alexdowad · alexdowad · commit 5812b4fe54a3 · 2022-10-10T20:46:12.000+09:00
Up until now, I believed that mbstring had been designed such that (legacy) text conversion filter objects should not be re-used after the 'flush' function is called to complete a text conversion operation. However, it turns out that the implementation of _php_mb_encoding_handler_ex DID re-use filter objects after flush. That means that functions which were based on _php_mb_encoding_handler_ex, including mb_parse_str and php_mb_post_handler, would break in some cases; state left over from converting one substring (perhaps a variable name) would affect the results of converting another substring (perhaps the value of the same variable), and could cause extraneous characters to get inserted into the output. All this code should be deleted soon, but fixing it helps me to avoid spurious failures when fuzzing the new/old code to look for differences in behavior. (This bug fix commit was originally applied to PHP-8.2 when fuzzing the new mbstring text conversion code to check for differences with the old code. Later, Kentaro Ohkouchi kindly reported a problem with mb_encode_mimeheader under PHP 8.1 which was caused by the same issue. Hence, this commit was backported to PHP-8.1.) Fixes GH-9683.
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
@@ -251,6 +251,7 @@ static int mbfl_filt_conv_big5_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp5022x.c b/ext/mbstring/libmbfl/filters/mbfilter_cp5022x.c
@@ -312,6 +312,7 @@ static int mbfl_filt_conv_cp5022x_wchar_flush(mbfl_convert_filter *filter)
 		/* 2-byte (JIS X 0208 or 0212) character was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -650,7 +651,7 @@ mbfl_filt_conv_wchar_cp50222_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)(0x28, filter->data));		/* '(' */
 		CK((*filter->output_function)(0x42, filter->data));		/* 'B' */
 	}
-	filter->status &= 0xff;
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp51932.c b/ext/mbstring/libmbfl/filters/mbfilter_cp51932.c
@@ -176,6 +176,7 @@ static int mbfl_filt_conv_cp51932_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status) {
 		/* Input string was truncated */
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp932.c b/ext/mbstring/libmbfl/filters/mbfilter_cp932.c
@@ -272,6 +272,7 @@ static int mbfl_filt_conv_cp932_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp936.c b/ext/mbstring/libmbfl/filters/mbfilter_cp936.c
@@ -169,6 +169,7 @@ static int mbfl_filt_conv_cp936_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_cn.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_cn.c
@@ -210,6 +210,7 @@ static int mbfl_filt_conv_euccn_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_jp.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_jp.c
@@ -178,6 +178,7 @@ static int mbfl_filt_conv_eucjp_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_jp_win.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_jp_win.c
@@ -223,6 +223,7 @@ static int mbfl_filt_conv_eucjpwin_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_kr.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_kr.c
@@ -197,6 +197,7 @@ static int mbfl_filt_conv_euckr_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_tw.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_tw.c
@@ -243,6 +243,7 @@ static int mbfl_filt_conv_euctw_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* 2-byte or 4-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_gb18030.c b/ext/mbstring/libmbfl/filters/mbfilter_gb18030.c
@@ -239,6 +239,7 @@ static int mbfl_filt_conv_gb18030_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* multi-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_hz.c b/ext/mbstring/libmbfl/filters/mbfilter_hz.c
@@ -154,6 +154,8 @@ static int mbfl_filt_conv_hz_wchar_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
+	filter->status = 0;
+
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
 	}
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_jp_ms.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_jp_ms.c
@@ -213,6 +213,7 @@ static int mbfl_filt_conv_2022jpms_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status & 0xF) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -352,6 +353,7 @@ int mbfl_filt_conv_any_2022jpms_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)('(', filter->data));
 		CK((*filter->output_function)('B', filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c
@@ -176,6 +176,7 @@ static int mbfl_filt_conv_2022kr_wchar_flush(mbfl_convert_filter *filter)
 		/* 2-byte character was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022jp_mobile.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022jp_mobile.c
@@ -243,6 +243,7 @@ static int mbfl_filt_conv_2022jp_mobile_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status & 0xF) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -358,6 +359,7 @@ static int mbfl_filt_conv_wchar_2022jp_mobile_flush(mbfl_convert_filter *filter)
 	if (filter->status == 1 && (c1 == '#' || (c1 >= '0' && c1 <= '9'))) {
 		(*filter->output_function)(c1, filter->data);
 	}
+	filter->status = filter->cache = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_jis.c b/ext/mbstring/libmbfl/filters/mbfilter_jis.c
@@ -265,6 +265,12 @@ static int mbfl_filt_conv_jis_wchar_flush(mbfl_convert_filter *filter)
 		/* 2-byte (JIS X 0208 or 0212) character was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
+
+	if (filter->flush_function) {
+		(*filter->flush_function)(filter->data);
+	}
+
 	return 0;
 }
 
@@ -449,7 +455,7 @@ mbfl_filt_conv_any_jis_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)(0x28, filter->data));		/* '(' */
 		CK((*filter->output_function)(0x42, filter->data));		/* 'B' */
 	}
-	filter->status &= 0xff;
+	filter->status = 0;
 
 	if (filter->flush_function != NULL) {
 		return (*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis.c
@@ -179,6 +179,7 @@ static int mbfl_filt_conv_sjis_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c
@@ -427,6 +427,12 @@ int mbfl_filt_conv_jis2004_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status & 0xF) {
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
+
+	if (filter->flush_function) {
+		return (*filter->flush_function)(filter->data);
+	}
+
 	return 0;
 }
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis_mac.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis_mac.c
@@ -264,6 +264,7 @@ mbfl_filt_conv_sjis_mac_wchar(int c, mbfl_convert_filter *filter)
 static int mbfl_filt_conv_sjis_mac_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 	return 0;
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis_mobile.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis_mobile.c
@@ -717,6 +717,7 @@ static int mbfl_filt_conv_sjis_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status && filter->status != 4) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -831,6 +832,7 @@ int mbfl_filt_conv_sjis_mobile_flush(mbfl_convert_filter *filter)
 {
 	int c1 = filter->cache;
 	if (filter->status == 1 && (c1 == '#' || (c1 >= '0' && c1 <= '9'))) {
+		filter->cache = filter->status = 0;
 		CK((*filter->output_function)(c1, filter->data));
 	} else if (filter->status == 2) {
 		/* First of a pair of Regional Indicator codepoints came at the end of a string */
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_ucs2.c b/ext/mbstring/libmbfl/filters/mbfilter_ucs2.c
@@ -207,6 +207,7 @@ static int mbfl_filt_conv_ucs2_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* Input string was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_ucs4.c b/ext/mbstring/libmbfl/filters/mbfilter_ucs4.c
@@ -289,6 +289,7 @@ static int mbfl_filt_conv_ucs4_wchar_flush(mbfl_convert_filter *filter)
 		/* Input string was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_uhc.c b/ext/mbstring/libmbfl/filters/mbfilter_uhc.c
@@ -145,6 +145,7 @@ static int mbfl_filt_conv_uhc_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf16.c b/ext/mbstring/libmbfl/filters/mbfilter_utf16.c
@@ -313,6 +313,7 @@ static int mbfl_filt_conv_utf16_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* Input string was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf32.c b/ext/mbstring/libmbfl/filters/mbfilter_utf32.c
@@ -222,6 +222,7 @@ static int mbfl_filt_conv_utf32_wchar_flush(mbfl_convert_filter *filter)
 		/* Input string was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->cache = filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf7.c b/ext/mbstring/libmbfl/filters/mbfilter_utf7.c
@@ -277,6 +277,7 @@ static int mbfl_filt_conv_utf7_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->cache) {
 		/* Either we were expecting the 2nd half of a surrogate pair which
 		 * never came, or else the last Base64 data was not padded with zeroes */
+		filter->cache = 0;
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
 
@@ -385,6 +386,7 @@ int mbfl_filt_conv_wchar_utf7_flush(mbfl_convert_filter *filter)
 {
 	int status = filter->status;
 	int cache = filter->cache;
+	filter->status = filter->cache = 0;
 
 	/* flush fragments */
 	switch (status) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf7imap.c b/ext/mbstring/libmbfl/filters/mbfilter_utf7imap.c
@@ -283,6 +283,7 @@ static int mbfl_filt_conv_utf7imap_wchar_flush(mbfl_convert_filter *filter)
 		/* It is illegal for a UTF-7 IMAP string to end in a Base-64 encoded
 		 * section. It should always change back to ASCII before the end. */
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf8.c b/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
@@ -176,6 +176,7 @@ int mbfl_filt_conv_utf8_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {

Original file line number	Diff line number	Diff line change
`@@ -251,6 +251,7 @@ static int mbfl_filt_conv_big5_wchar_flush(mbfl_convert_filter *filter)`
`251`	`251`	`{`
`252`	`252`	`if (filter->status == 1) {`
`253`	`253`	`/* 2-byte character was truncated */`
	`254`	`+ filter->status = 0;`
`254`	`255`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`255`	`256`	`}`
`256`	`257`
Original file line number	Diff line number	Diff line change
`@@ -312,6 +312,7 @@ static int mbfl_filt_conv_cp5022x_wchar_flush(mbfl_convert_filter *filter)`
`312`	`312`	`/* 2-byte (JIS X 0208 or 0212) character was truncated */`
`313`	`313`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`314`	`314`	`}`
	`315`	`+ filter->status = 0;`
`315`	`316`
`316`	`317`	`if (filter->flush_function) {`
`317`	`318`	`(*filter->flush_function)(filter->data);`
`@@ -650,7 +651,7 @@ mbfl_filt_conv_wchar_cp50222_flush(mbfl_convert_filter *filter)`
`650`	`651`	`CK((filter->output_function)(0x28, filter->data)); / '(' */`
`651`	`652`	`CK((filter->output_function)(0x42, filter->data)); / 'B' */`
`652`	`653`	`}`
`653`		`- filter->status &= 0xff;`
	`654`	`+ filter->status = 0;`
`654`	`655`
`655`	`656`	`if (filter->flush_function) {`
`656`	`657`	`(*filter->flush_function)(filter->data);`
Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,7 @@ static int mbfl_filt_conv_cp51932_wchar_flush(mbfl_convert_filter *filter)`
`176`	`176`	`if (filter->status) {`
`177`	`177`	`/* Input string was truncated */`
`178`	`178`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`179`	`+ filter->status = 0;`
`179`	`180`	`}`
`180`	`181`
`181`	`182`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -272,6 +272,7 @@ static int mbfl_filt_conv_cp932_wchar_flush(mbfl_convert_filter *filter)`
`272`	`272`	`{`
`273`	`273`	`if (filter->status) {`
`274`	`274`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`275`	`+ filter->status = 0;`
`275`	`276`	`}`
`276`	`277`
`277`	`278`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,7 @@ static int mbfl_filt_conv_cp936_wchar_flush(mbfl_convert_filter *filter)`
`169`	`169`	`{`
`170`	`170`	`if (filter->status) {`
`171`	`171`	`/* 2-byte character was truncated */`
	`172`	`+ filter->status = 0;`
`172`	`173`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`173`	`174`	`}`
`174`	`175`
Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,7 @@ static int mbfl_filt_conv_euccn_wchar_flush(mbfl_convert_filter *filter)`
`210`	`210`	`{`
`211`	`211`	`if (filter->status == 1) {`
`212`	`212`	`/* 2-byte character was truncated */`
	`213`	`+ filter->status = 0;`
`213`	`214`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`214`	`215`	`}`
`215`	`216`
Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,7 @@ static int mbfl_filt_conv_eucjp_wchar_flush(mbfl_convert_filter *filter)`
`178`	`178`	`{`
`179`	`179`	`if (filter->status) {`
`180`	`180`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`181`	`+ filter->status = 0;`
`181`	`182`	`}`
`182`	`183`
`183`	`184`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -223,6 +223,7 @@ static int mbfl_filt_conv_eucjpwin_wchar_flush(mbfl_convert_filter *filter)`
`223`	`223`	`{`
`224`	`224`	`if (filter->status) {`
`225`	`225`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`226`	`+ filter->status = 0;`
`226`	`227`	`}`
`227`	`228`
`228`	`229`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,7 @@ static int mbfl_filt_conv_euckr_wchar_flush(mbfl_convert_filter *filter)`
`197`	`197`	`{`
`198`	`198`	`if (filter->status == 1) {`
`199`	`199`	`/* 2-byte character was truncated */`
	`200`	`+ filter->status = 0;`
`200`	`201`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`201`	`202`	`}`
`202`	`203`
Original file line number	Diff line number	Diff line change
`@@ -243,6 +243,7 @@ static int mbfl_filt_conv_euctw_wchar_flush(mbfl_convert_filter *filter)`
`243`	`243`	`{`
`244`	`244`	`if (filter->status) {`
`245`	`245`	`/* 2-byte or 4-byte character was truncated */`
	`246`	`+ filter->status = 0;`
`246`	`247`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`247`	`248`	`}`
`248`	`249`