replace alloca with safe_emalloc in mb_guess_encoding_for_strings

jordikroon · jordikroon · commit afeac389acaa · 2026-02-15T23:55:43.000+01:00
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -3415,14 +3415,15 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c
 	}
 
 	/* Allocate on stack; when we return, this array is automatically freed */
-	struct candidate *array = alloca(elist_size * sizeof(struct candidate));
+	struct candidate *array = (struct candidate *) safe_emalloc(elist_size, sizeof(struct candidate), 0);
 	elist_size = init_candidate_array(array, elist_size, elist, strings, str_lengths, n, strict, order_significant);
 
 	while (n--) {
 		start_string(array, elist_size, strings[n], str_lengths[n]);
 		elist_size = count_demerits(array, elist_size, strict);
 		if (elist_size == 0) {
 			/* All candidates were eliminated */
+			efree(array);
 			return NULL;
 		}
 	}
@@ -3434,7 +3435,10 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c
 			best = i;
 		}
 	}
-	return array[best].enc;
+
+	const mbfl_encoding *result = array[best].enc;
+	efree(array);
+	return result;
 }
 
 /* When doing 'strict' detection, any string which is invalid in the candidate encoding
diff --git a/ext/mbstring/tests/gh21223.phpt b/ext/mbstring/tests/gh21223.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-21223 (Stack overflow in mb_guess_encoding called via mb_detect_encoding)
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+$str = "hello";
+
+$list = [];
+for ($i = 0; $i < 500000; $i++) {
+    $list[] = "UTF-8";
+}
+
+var_dump(mb_detect_encoding($str, $list, false));
+echo "Done";
+?>
+--EXPECT--
+string(5) "UTF-8"
+Done

Original file line number	Diff line number	Diff line change
`@@ -3415,14 +3415,15 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c`
`3415`	`3415`	`}`
`3416`	`3416`
`3417`	`3417`	`/* Allocate on stack; when we return, this array is automatically freed */`
`3418`		`- struct candidate array = alloca(elist_size sizeof(struct candidate));`
	`3418`	`+ struct candidate array = (struct candidate ) safe_emalloc(elist_size, sizeof(struct candidate), 0);`
`3419`	`3419`	`elist_size = init_candidate_array(array, elist_size, elist, strings, str_lengths, n, strict, order_significant);`
`3420`	`3420`
`3421`	`3421`	`while (n--) {`
`3422`	`3422`	`start_string(array, elist_size, strings[n], str_lengths[n]);`
`3423`	`3423`	`elist_size = count_demerits(array, elist_size, strict);`
`3424`	`3424`	`if (elist_size == 0) {`
`3425`	`3425`	`/* All candidates were eliminated */`
	`3426`	`+ efree(array);`
`3426`	`3427`	`return NULL;`
`3427`	`3428`	`}`
`3428`	`3429`	`}`
`@@ -3434,7 +3435,10 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c`
`3434`	`3435`	`best = i;`
`3435`	`3436`	`}`
`3436`	`3437`	`}`
`3437`		`- return array[best].enc;`
	`3438`	`+`
	`3439`	`+ const mbfl_encoding *result = array[best].enc;`
	`3440`	`+ efree(array);`
	`3441`	`+ return result;`
`3438`	`3442`	`}`
`3439`	`3443`
`3440`	`3444`	`/* When doing 'strict' detection, any string which is invalid in the candidate encoding`