Fix GH-21738: undefined behavior in url_decode with non-ASCII bytes

The isxdigit() family requires its argument to be representable as
unsigned char (0-255) or EOF. Casting a signed char value holding a
high-bit byte (e.g. 0x80) to int produces a negative number (-128)
which triggers undefined behavior, and on some libc implementations
(e.g. NetBSD) can lead to out-of-bounds reads through the internal
character classification table.

Author: lacatoire

NEWS

@@ -162,6 +162,8 @@ PHP                                                                        NEWS
   . Fix NUL byte truncation in sqlite3 TEXT column handling. (ndossche)
 
 - Standard:
+  . Fixed bug GH-21738 (undefined behavior in url_decode functions when
+    passing non-ASCII bytes to isxdigit()). (lacatoire)
   . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
     while COW violation flag is still set). (alexandre-daubois)
   . Added form feed (\f) in the default trimmed characters of trim(), rtrim()

ext/standard/url.c

@@ -589,8 +589,8 @@ PHPAPI size_t php_url_decode_ex(char *dest, const char *src, size_t src_len)
 		if (*data == '+') {
 			*dest = ' ';
 		}
-		else if (*data == '%' && src_len >= 2 && isxdigit((int) *(data + 1))
-				 && isxdigit((int) *(data + 2))) {
+		else if (*data == '%' && src_len >= 2 && isxdigit((unsigned char) *(data + 1))
+				 && isxdigit((unsigned char) *(data + 2))) {
 			*dest = (char) php_htoi(data + 1);
 			data += 2;
 			src_len -= 2;
@@ -662,8 +662,8 @@ PHPAPI size_t php_raw_url_decode_ex(char *dest, const char *src, size_t src_len)
 	const char *data = src;
 
 	while (src_len--) {
-		if (*data == '%' && src_len >= 2 && isxdigit((int) *(data + 1))
-			&& isxdigit((int) *(data + 2))) {
+		if (*data == '%' && src_len >= 2 && isxdigit((unsigned char) *(data + 1))
+			&& isxdigit((unsigned char) *(data + 2))) {
 			*dest = (char) php_htoi(data + 1);
 			data += 2;
 			src_len -= 2;