MFH: fixed #40685: removed '&' in mb_decode_numericentity().

Rui Hirokawa · Rui Hirokawa · commit 3d888412da03 · 2011-09-24T02:20:38.000Z
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -2702,6 +2702,53 @@ collector_decode_htmlnumericentity(int c, void *data)
 	return c;
 }
 
+int mbfl_filt_decode_htmlnumericentity_flush(mbfl_convert_filter *filter)
+{
+	struct collector_htmlnumericentity_data *pc = (struct collector_htmlnumericentity_data *)filter;
+	int n, s, r, d;
+
+	if (pc->status) {
+		switch (pc->status) {
+		case 1: /* '&' */
+			(*pc->decoder->filter_function)(0x26, pc->decoder);		/* '&' */
+			break;
+		case 2: /* '#' */
+			(*pc->decoder->filter_function)(0x26, pc->decoder);		/* '&' */
+			(*pc->decoder->filter_function)(0x23, pc->decoder);		/* '#' */
+			break;
+		case 3: /* '0'-'9' */
+			(*pc->decoder->filter_function)(0x26, pc->decoder);		/* '&' */
+			(*pc->decoder->filter_function)(0x23, pc->decoder);		/* '#' */
+
+			s = pc->cache;
+			r = 1;
+			n = pc->digit;
+			while (n > 0) {
+				r *= 10;
+				n--;
+			}
+			s %= r;
+			r /= 10;
+			while (r > 0) {
+				d = s/r;
+				s %= r;
+				r /= 10;
+				(*pc->decoder->filter_function)(mbfl_hexchar_table[d], pc->decoder);
+			}
+
+			break;
+		default:
+			break;
+		}
+	}
+
+	pc->status = 0;
+	pc->cache = 0;
+	pc->digit = 0;
+
+	return 0;
+}
+
 mbfl_string *
 mbfl_html_numeric_entity(
     mbfl_string *string,
@@ -2739,7 +2786,8 @@ mbfl_html_numeric_entity(
 		encoder = mbfl_convert_filter_new(
 		    string->no_encoding,
 		    mbfl_no_encoding_wchar,
-		    collector_decode_htmlnumericentity, 0, &pc);
+		    collector_decode_htmlnumericentity, 
+			(int (*)(void*))mbfl_filt_decode_htmlnumericentity_flush, &pc);
 	}
 	if (pc.decoder == NULL || encoder == NULL) {
 		mbfl_convert_filter_delete(encoder);
diff --git a/ext/mbstring/tests/bug40685.phpt b/ext/mbstring/tests/bug40685.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #40685 (mb_decode_numericentity() removes '&' in the string)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+$map = array(0, 0x10FFFF, 0, 0xFFFFFF);
+var_dump(mb_decode_numericentity('&', $map, 'UTF-8'));
+var_dump(mb_decode_numericentity('&&&', $map, 'UTF-8'));
+var_dump(mb_decode_numericentity('&#', $map, 'UTF-8'));
+var_dump(mb_decode_numericentity('&#61', $map, 'UTF-8'));
+var_dump(mb_decode_numericentity('&#61;', $map, 'UTF-8'));
+?>
+--EXPECTF--
+string(1) "&"
+string(3) "&&&"
+string(2) "&#"
+string(4) "&#61"
+string(1) "="
+
