Extend isxdigit() UB fix to quoted_printable_decode and stripcslashes

lacatoire · lacatoire · commit 839bbf13b006 · 2026-04-30T11:07:29.000+02:00
Same signed-char UB as in url_decode: isxdigit() is called on byte
values from char-pointers (str_in in quoted_printable_decode,
source in php_stripcslashes), which sign-extend to negative int on
signed-char platforms when the byte has its high bit set.
diff --git a/NEWS b/NEWS
@@ -162,8 +162,9 @@ PHP                                                                        NEWS
   . Fix NUL byte truncation in sqlite3 TEXT column handling. (ndossche)
 
 - Standard:
-  . Fixed bug GH-21738 (undefined behavior in url_decode functions when
-    passing non-ASCII bytes to isxdigit()). (lacatoire)
+  . Fixed bug GH-21738 (undefined behavior when passing non-ASCII bytes to
+    isxdigit() in url_decode, quoted_printable_decode and stripcslashes).
+    (lacatoire)
   . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
     while COW violation flag is still set). (alexandre-daubois)
   . Added form feed (\f) in the default trimmed characters of trim(), rtrim()
diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
@@ -210,8 +210,8 @@ PHP_FUNCTION(quoted_printable_decode)
 		switch (str_in[i]) {
 		case '=':
 			if (str_in[i + 1] && str_in[i + 2] &&
-				isxdigit((int) str_in[i + 1]) &&
-				isxdigit((int) str_in[i + 2]))
+				isxdigit((unsigned char) str_in[i + 1]) &&
+				isxdigit((unsigned char) str_in[i + 2]))
 			{
 				ZSTR_VAL(str_out)[j++] = (php_hex2int((int) str_in[i + 1]) << 4)
 						+ php_hex2int((int) str_in[i + 2]);
diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -3760,9 +3760,9 @@ PHPAPI void php_stripcslashes(zend_string *str)
 				case 'f':  *target++='\f'; nlen--; break;
 				case '\\': *target++='\\'; nlen--; break;
 				case 'x':
-					if (source+1 < end && isxdigit((int)(*(source+1)))) {
+					if (source+1 < end && isxdigit((unsigned char)(*(source+1)))) {
 						numtmp[0] = *++source;
-						if (source+1 < end && isxdigit((int)(*(source+1)))) {
+						if (source+1 < end && isxdigit((unsigned char)(*(source+1)))) {
 							numtmp[1] = *++source;
 							numtmp[2] = '\0';
 							nlen-=3;
