uri: Fix RFC3986 to_string implementation with ExcludeFragment returning non-terminated strings (php#20811)

ndossche · web-flow · commit 3f7bfaf3aecb · 2026-01-02T15:00:47.000+01:00
zend_string_truncate() doesn't put a NUL byte.
Right now this doesn't matter as this code path is only hittable via the
equals() method, but if other extension (or future other code) starts
using this code path, then it can be problematic as all user-exposed
zend_strings need to end with a NUL byte.
diff --git a/ext/uri/uri_parser_rfc3986.c b/ext/uri/uri_parser_rfc3986.c
@@ -595,6 +595,7 @@ ZEND_ATTRIBUTE_NONNULL static zend_string *php_uri_parser_rfc3986_to_string(void
 		const char *pos = zend_memrchr(ZSTR_VAL(uri_string), '#', ZSTR_LEN(uri_string));
 		if (pos != NULL) {
 			uri_string = zend_string_truncate(uri_string, (pos - ZSTR_VAL(uri_string)), false);
+			ZSTR_VAL(uri_string)[ZSTR_LEN(uri_string)] = '\0';
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -595,6 +595,7 @@ ZEND_ATTRIBUTE_NONNULL static zend_string *php_uri_parser_rfc3986_to_string(void`
`595`	`595`	`const char *pos = zend_memrchr(ZSTR_VAL(uri_string), '#', ZSTR_LEN(uri_string));`
`596`	`596`	`if (pos != NULL) {`
`597`	`597`	`uri_string = zend_string_truncate(uri_string, (pos - ZSTR_VAL(uri_string)), false);`
	`598`	`+ ZSTR_VAL(uri_string)[ZSTR_LEN(uri_string)] = '\0';`
`598`	`599`	`}`
`599`	`600`	`}`
`600`	`601`