In legacy text conversion filters, reset filter state in 'flush' function

alexdowad · alexdowad · commit f3c8efd711f4 · 2022-08-16T16:43:27.000+02:00
Up until now, I believed that mbstring had been designed such
that (legacy) text conversion filter objects should not be
re-used after the 'flush' function is called to complete a
text conversion operation.

However, it turns out that the implementation of
_php_mb_encoding_handler_ex DID re-use filter objects
after flush. That means that functions which were based on
_php_mb_encoding_handler_ex, including mb_parse_str and
php_mb_post_handler, would break in some cases; state left
over from converting one substring (perhaps a variable name)
would affect the results of converting another substring
(perhaps the value of the same variable), and could cause
extraneous characters to get inserted into the output.

All this code should be deleted soon, but fixing it helps me
to avoid spurious failures when fuzzing the new/old code to
look for differences in behavior.
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
@@ -257,6 +257,7 @@ static int mbfl_filt_conv_big5_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp5022x.c b/ext/mbstring/libmbfl/filters/mbfilter_cp5022x.c
@@ -322,6 +322,7 @@ static int mbfl_filt_conv_cp5022x_wchar_flush(mbfl_convert_filter *filter)
 		 * escape sequence was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -824,7 +825,7 @@ static int mbfl_filt_conv_wchar_cp50222_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)(0x28, filter->data));		/* '(' */
 		CK((*filter->output_function)(0x42, filter->data));		/* 'B' */
 	}
-	filter->status &= 0xff;
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp51932.c b/ext/mbstring/libmbfl/filters/mbfilter_cp51932.c
@@ -178,6 +178,7 @@ static int mbfl_filt_conv_cp51932_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status) {
 		/* Input string was truncated */
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp932.c b/ext/mbstring/libmbfl/filters/mbfilter_cp932.c
@@ -217,6 +217,7 @@ static int mbfl_filt_conv_cp932_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_cp936.c b/ext/mbstring/libmbfl/filters/mbfilter_cp936.c
@@ -166,6 +166,7 @@ static int mbfl_filt_conv_cp936_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_cn.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_cn.c
@@ -209,6 +209,7 @@ static int mbfl_filt_conv_euccn_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_jp.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_jp.c
@@ -180,6 +180,7 @@ static int mbfl_filt_conv_eucjp_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_jp_win.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_jp_win.c
@@ -226,6 +226,7 @@ static int mbfl_filt_conv_eucjpwin_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_kr.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_kr.c
@@ -193,6 +193,7 @@ static int mbfl_filt_conv_euckr_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_euc_tw.c b/ext/mbstring/libmbfl/filters/mbfilter_euc_tw.c
@@ -245,6 +245,7 @@ static int mbfl_filt_conv_euctw_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* 2-byte or 4-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_gb18030.c b/ext/mbstring/libmbfl/filters/mbfilter_gb18030.c
@@ -231,6 +231,7 @@ static int mbfl_filt_conv_gb18030_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* multi-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_hz.c b/ext/mbstring/libmbfl/filters/mbfilter_hz.c
@@ -154,6 +154,8 @@ static int mbfl_filt_conv_hz_wchar_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
+	filter->status = 0;
+
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
 	}
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_jp_ms.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_jp_ms.c
@@ -219,6 +219,7 @@ static int mbfl_filt_conv_2022jpms_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status & 0xF) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -354,6 +355,7 @@ int mbfl_filt_conv_any_2022jpms_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)('(', filter->data));
 		CK((*filter->output_function)('B', filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022_kr.c
@@ -178,6 +178,7 @@ static int mbfl_filt_conv_2022kr_wchar_flush(mbfl_convert_filter *filter)
 		/* 2-byte character was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_iso2022jp_mobile.c b/ext/mbstring/libmbfl/filters/mbfilter_iso2022jp_mobile.c
@@ -313,6 +313,7 @@ static int mbfl_filt_conv_2022jp_mobile_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status & 0xF) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -483,6 +484,7 @@ static int mbfl_filt_conv_wchar_2022jp_mobile_flush(mbfl_convert_filter *filter)
 	if ((filter->status & 0xFF) == 1 && (c1 == '#' || (c1 >= '0' && c1 <= '9'))) {
 		(*filter->output_function)(c1, filter->data);
 	}
+	filter->status = filter->cache = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_jis.c b/ext/mbstring/libmbfl/filters/mbfilter_jis.c
@@ -271,6 +271,7 @@ static int mbfl_filt_conv_jis_wchar_flush(mbfl_convert_filter *filter)
 		 * or else escape sequence was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -451,7 +452,7 @@ mbfl_filt_conv_any_jis_flush(mbfl_convert_filter *filter)
 		CK((*filter->output_function)(0x28, filter->data));		/* '(' */
 		CK((*filter->output_function)(0x42, filter->data));		/* 'B' */
 	}
-	filter->status &= 0xff;
+	filter->status = 0;
 
 	if (filter->flush_function != NULL) {
 		return (*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis.c
@@ -183,6 +183,7 @@ static int mbfl_filt_conv_sjis_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c
@@ -491,6 +491,7 @@ int mbfl_filt_conv_jis2004_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status & 0xF) {
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		return (*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis_mac.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis_mac.c
@@ -266,6 +266,7 @@ mbfl_filt_conv_sjis_mac_wchar(int c, mbfl_convert_filter *filter)
 static int mbfl_filt_conv_sjis_mac_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_sjis_mobile.c b/ext/mbstring/libmbfl/filters/mbfilter_sjis_mobile.c
@@ -722,6 +722,7 @@ static int mbfl_filt_conv_sjis_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->status && filter->status != 4) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
@@ -826,6 +827,7 @@ int mbfl_filt_conv_sjis_mobile_flush(mbfl_convert_filter *filter)
 {
 	int c1 = filter->cache;
 	if (filter->status == 1 && (c1 == '#' || (c1 >= '0' && c1 <= '9'))) {
+		filter->cache = filter->status = 0;
 		CK((*filter->output_function)(c1, filter->data));
 	} else if (filter->status == 2) {
 		/* First of a pair of Regional Indicator codepoints came at the end of a string */
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_ucs2.c b/ext/mbstring/libmbfl/filters/mbfilter_ucs2.c
@@ -218,6 +218,7 @@ static int mbfl_filt_conv_ucs2_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* Input string was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_ucs4.c b/ext/mbstring/libmbfl/filters/mbfilter_ucs4.c
@@ -301,6 +301,7 @@ static int mbfl_filt_conv_ucs4_wchar_flush(mbfl_convert_filter *filter)
 		/* Input string was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_uhc.c b/ext/mbstring/libmbfl/filters/mbfilter_uhc.c
@@ -147,6 +147,7 @@ static int mbfl_filt_conv_uhc_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status == 1) {
 		/* 2-byte character was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf16.c b/ext/mbstring/libmbfl/filters/mbfilter_utf16.c
@@ -323,6 +323,7 @@ static int mbfl_filt_conv_utf16_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		/* Input string was truncated */
+		filter->status = 0;
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
 
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf32.c b/ext/mbstring/libmbfl/filters/mbfilter_utf32.c
@@ -233,6 +233,7 @@ static int mbfl_filt_conv_utf32_wchar_flush(mbfl_convert_filter *filter)
 		/* Input string was truncated */
 		CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));
 	}
+	filter->cache = filter->status = 0;
 
 	if (filter->flush_function) {
 		(*filter->flush_function)(filter->data);
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf7.c b/ext/mbstring/libmbfl/filters/mbfilter_utf7.c
@@ -267,6 +267,7 @@ static int mbfl_filt_conv_utf7_wchar_flush(mbfl_convert_filter *filter)
 	if (filter->cache) {
 		/* Either we were expecting the 2nd half of a surrogate pair which
 		 * never came, or else the last Base64 data was not padded with zeroes */
+		filter->cache = 0;
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
 	}
 
@@ -373,6 +374,7 @@ int mbfl_filt_conv_wchar_utf7_flush(mbfl_convert_filter *filter)
 {
 	int status = filter->status;
 	int cache = filter->cache;
+	filter->status = filter->cache = 0;
 
 	/* flush fragments */
 	switch (status) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf7imap.c b/ext/mbstring/libmbfl/filters/mbfilter_utf7imap.c
@@ -287,6 +287,7 @@ static int mbfl_filt_conv_utf7imap_wchar_flush(mbfl_convert_filter *filter)
 		/* It is illegal for a UTF-7 IMAP string to end in a Base-64 encoded
 		 * section. It should always change back to ASCII before the end. */
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_utf8.c b/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
@@ -180,6 +180,7 @@ int mbfl_filt_conv_utf8_wchar_flush(mbfl_convert_filter *filter)
 {
 	if (filter->status) {
 		(*filter->output_function)(MBFL_BAD_INPUT, filter->data);
+		filter->status = 0;
 	}
 
 	if (filter->flush_function) {

Original file line number	Diff line number	Diff line change
`@@ -257,6 +257,7 @@ static int mbfl_filt_conv_big5_wchar_flush(mbfl_convert_filter *filter)`
`257`	`257`	`{`
`258`	`258`	`if (filter->status == 1) {`
`259`	`259`	`/* 2-byte character was truncated */`
	`260`	`+ filter->status = 0;`
`260`	`261`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`261`	`262`	`}`
`262`	`263`
Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,7 @@ static int mbfl_filt_conv_cp5022x_wchar_flush(mbfl_convert_filter *filter)`
`322`	`322`	`* escape sequence was truncated */`
`323`	`323`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`324`	`324`	`}`
	`325`	`+ filter->status = 0;`
`325`	`326`
`326`	`327`	`if (filter->flush_function) {`
`327`	`328`	`(*filter->flush_function)(filter->data);`
`@@ -824,7 +825,7 @@ static int mbfl_filt_conv_wchar_cp50222_flush(mbfl_convert_filter *filter)`
`824`	`825`	`CK((filter->output_function)(0x28, filter->data)); / '(' */`
`825`	`826`	`CK((filter->output_function)(0x42, filter->data)); / 'B' */`
`826`	`827`	`}`
`827`		`- filter->status &= 0xff;`
	`828`	`+ filter->status = 0;`
`828`	`829`
`829`	`830`	`if (filter->flush_function) {`
`830`	`831`	`(*filter->flush_function)(filter->data);`
Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,7 @@ static int mbfl_filt_conv_cp51932_wchar_flush(mbfl_convert_filter *filter)`
`178`	`178`	`if (filter->status) {`
`179`	`179`	`/* Input string was truncated */`
`180`	`180`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`181`	`+ filter->status = 0;`
`181`	`182`	`}`
`182`	`183`
`183`	`184`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -217,6 +217,7 @@ static int mbfl_filt_conv_cp932_wchar_flush(mbfl_convert_filter *filter)`
`217`	`217`	`{`
`218`	`218`	`if (filter->status) {`
`219`	`219`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`220`	`+ filter->status = 0;`
`220`	`221`	`}`
`221`	`222`
`222`	`223`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -166,6 +166,7 @@ static int mbfl_filt_conv_cp936_wchar_flush(mbfl_convert_filter *filter)`
`166`	`166`	`{`
`167`	`167`	`if (filter->status) {`
`168`	`168`	`/* 2-byte character was truncated */`
	`169`	`+ filter->status = 0;`
`169`	`170`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`170`	`171`	`}`
`171`	`172`
Original file line number	Diff line number	Diff line change
`@@ -209,6 +209,7 @@ static int mbfl_filt_conv_euccn_wchar_flush(mbfl_convert_filter *filter)`
`209`	`209`	`{`
`210`	`210`	`if (filter->status == 1) {`
`211`	`211`	`/* 2-byte character was truncated */`
	`212`	`+ filter->status = 0;`
`212`	`213`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`213`	`214`	`}`
`214`	`215`
Original file line number	Diff line number	Diff line change
`@@ -180,6 +180,7 @@ static int mbfl_filt_conv_eucjp_wchar_flush(mbfl_convert_filter *filter)`
`180`	`180`	`{`
`181`	`181`	`if (filter->status) {`
`182`	`182`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`183`	`+ filter->status = 0;`
`183`	`184`	`}`
`184`	`185`
`185`	`186`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -226,6 +226,7 @@ static int mbfl_filt_conv_eucjpwin_wchar_flush(mbfl_convert_filter *filter)`
`226`	`226`	`{`
`227`	`227`	`if (filter->status) {`
`228`	`228`	`(*filter->output_function)(MBFL_BAD_INPUT, filter->data);`
	`229`	`+ filter->status = 0;`
`229`	`230`	`}`
`230`	`231`
`231`	`232`	`if (filter->flush_function) {`
Original file line number	Diff line number	Diff line change
`@@ -193,6 +193,7 @@ static int mbfl_filt_conv_euckr_wchar_flush(mbfl_convert_filter *filter)`
`193`	`193`	`{`
`194`	`194`	`if (filter->status == 1) {`
`195`	`195`	`/* 2-byte character was truncated */`
	`196`	`+ filter->status = 0;`
`196`	`197`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`197`	`198`	`}`
`198`	`199`
Original file line number	Diff line number	Diff line change
`@@ -245,6 +245,7 @@ static int mbfl_filt_conv_euctw_wchar_flush(mbfl_convert_filter *filter)`
`245`	`245`	`{`
`246`	`246`	`if (filter->status) {`
`247`	`247`	`/* 2-byte or 4-byte character was truncated */`
	`248`	`+ filter->status = 0;`
`248`	`249`	`CK((*filter->output_function)(MBFL_BAD_INPUT, filter->data));`
`249`	`250`	`}`
`250`	`251`