From 56447f425f0fa241e0005df0e620bda97eb06340 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 24 Apr 2026 11:32:35 +0200
Subject: Address multiple sign issues in ifilter

`sp_is_dangerous_char[(int)*p]` is indexed by `(int)*p`. If char is signed
(default on x86), values 0x80–0xFF produce negative indices into the array,
causing an out-of-bounds read. The `sp_server_encode` function has the same
issue.
---
 src/sp_ifilter.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/sp_ifilter.c b/src/sp_ifilter.c
index 67eb5f3..ffdeec1 100644
--- a/src/sp_ifilter.c
+++ b/src/sp_ifilter.c
@@ -33,7 +33,7 @@ static void sp_server_strip(HashTable *svars, const char *key, size_t keylen) {
   char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
 
   for (char *p = tmp; p < tmpend; p++) {
-    if (sp_is_dangerous_char[(int)*p]) {
+    if (sp_is_dangerous_char[(unsigned char)*p]) {
       *p = '_';
     }
   }
@@ -49,17 +49,17 @@ static void sp_server_encode(HashTable *svars, const char *key, size_t keylen) {
   int extra = 0;
   
   for (char *p = tmp; p < tmpend; p++) {
-    extra += sp_is_dangerous_char[(int)*p] * 2;
+    extra += sp_is_dangerous_char[(unsigned char)*p] * 2;
   }
   if (!extra) { return; }
 
   zend_string *new_zstr = zend_string_alloc(ZSTR_LEN(tmp_zstr) + extra, 0);
   char *n = ZSTR_VAL(new_zstr);
   for (char *p = tmp; p < tmpend; p++, n++) {
-    if (sp_is_dangerous_char[(int)*p]) {
+    if (sp_is_dangerous_char[(unsigned char)*p]) {
       *n++ = '%';
-      *n++ = sp_hexchars[*p >> 4];
-      *n = sp_hexchars[*p & 15];
+      *n++ = sp_hexchars[(unsigned char)*p >> 4];
+      *n = sp_hexchars[(unsigned char)*p & 15];
     } else {
       *n = *p;
     }
-- 
cgit v1.3