Address multiple sign issues in ifilter

`sp_is_dangerous_char[(int)*p]` is indexed by `(int)*p`. If char is signed (default on x86), values 0x80–0xFF produce negative indices into the array, causing an out-of-bounds read. The `sp_server_encode` function has the same issue.
author: jvoisin 2026-04-24 11:32:35 +0200
committer: jvoisin 2026-04-24 11:32:35 +0200
commit: 56447f425f0fa241e0005df0e620bda97eb06340 (patch)
tree: 1db071d759e303bddcfeaeb7ccd63ac91fd93730 /src
parent: 237131c6f02ce1bca8c5a41b25c274ff2c34e751 (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/src/sp_ifilter.c b/src/sp_ifilter.c
index 67eb5f3..ffdeec1 100644
--- a/src/sp_ifilter.c
+++ b/src/sp_ifilter.c
@@ -33,7 +33,7 @@ static void sp_server_strip(HashTable *svars, const char *key, size_t keylen) {
  char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
  for (char *p = tmp; p < tmpend; p++) {
-    if (sp_is_dangerous_char[(int)*p]) {
+    if (sp_is_dangerous_char[(unsigned char)*p]) {
      *p = '_';
    }
  }
@@ -49,17 +49,17 @@ static void sp_server_encode(HashTable *svars, const char *key, size_t keylen) {
  int extra = 0;
  
  for (char *p = tmp; p < tmpend; p++) {
-    extra += sp_is_dangerous_char[(int)*p] * 2;
+    extra += sp_is_dangerous_char[(unsigned char)*p] * 2;
  }
  if (!extra) { return; }
  zend_string *new_zstr = zend_string_alloc(ZSTR_LEN(tmp_zstr) + extra, 0);
  char *n = ZSTR_VAL(new_zstr);
  for (char *p = tmp; p < tmpend; p++, n++) {
-    if (sp_is_dangerous_char[(int)*p]) {
+    if (sp_is_dangerous_char[(unsigned char)*p]) {
      *n++ = '%';
-      *n++ = sp_hexchars[*p >> 4];
+      *n++ = sp_hexchars[(unsigned char)*p >> 4];
-      *n = sp_hexchars[*p & 15];
+      *n = sp_hexchars[(unsigned char)*p & 15];
    } else {
      *n = *p;
    }
author	jvoisin	2026-04-24 11:32:35 +0200
committer	jvoisin	2026-04-24 11:32:35 +0200
commit	56447f425f0fa241e0005df0e620bda97eb06340 (patch)
tree	1db071d759e303bddcfeaeb7ccd63ac91fd93730 /src
parent	237131c6f02ce1bca8c5a41b25c274ff2c34e751 (diff)

diff --git a/src/sp_ifilter.c b/src/sp_ifilter.c index 67eb5f3..ffdeec1 100644 --- a/src/sp_ifilter.c +++ b/src/sp_ifilter.c
@@ -33,7 +33,7 @@ static void sp_server_strip(HashTable svars, const char key, size_t keylen) {
33	char *tmpend = tmp + ZSTR_LEN(tmp_zstr);	33	char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
34		34
35	for (char *p = tmp; p < tmpend; p++) {	35	for (char *p = tmp; p < tmpend; p++) {
36	if (sp_is_dangerous_char[(int)*p]) {	36	if (sp_is_dangerous_char[(unsigned char)*p]) {
37	*p = '_';	37	*p = '_';
38	}	38	}
39	}	39	}
@@ -49,17 +49,17 @@ static void sp_server_encode(HashTable svars, const char key, size_t keylen) {
49	int extra = 0;	49	int extra = 0;
50		50
51	for (char *p = tmp; p < tmpend; p++) {	51	for (char *p = tmp; p < tmpend; p++) {
52	extra += sp_is_dangerous_char[(int)p] 2;	52	extra += sp_is_dangerous_char[(unsigned char)p] 2;
53	}	53	}
54	if (!extra) { return; }	54	if (!extra) { return; }
55		55
56	zend_string *new_zstr = zend_string_alloc(ZSTR_LEN(tmp_zstr) + extra, 0);	56	zend_string *new_zstr = zend_string_alloc(ZSTR_LEN(tmp_zstr) + extra, 0);
57	char *n = ZSTR_VAL(new_zstr);	57	char *n = ZSTR_VAL(new_zstr);
58	for (char *p = tmp; p < tmpend; p++, n++) {	58	for (char *p = tmp; p < tmpend; p++, n++) {
59	if (sp_is_dangerous_char[(int)*p]) {	59	if (sp_is_dangerous_char[(unsigned char)*p]) {
60	*n++ = '%';	60	*n++ = '%';
61	n++ = sp_hexchars[p >> 4];	61	n++ = sp_hexchars[(unsigned char)p >> 4];
62	n = sp_hexchars[p & 15];	62	n = sp_hexchars[(unsigned char)p & 15];
63	} else {	63	} else {
64	n = p;	64	n = p;
65	}	65	}