replace alloca with do_alloca in mb_guess_encoding_for_strings

jordikroon · alexdowad · commit 37c5a13d6779 · 2026-02-17T06:46:42.000+09:00
This avoids a crash in cases where the list of candidate encodings is so huge
that alloca would fail. Such crashes have been observed when the list of
encodings was larger than around 208,000 entries.
diff --git a/NEWS b/NEWS
@@ -27,6 +27,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError).
     (ndossche)
 
+- MBString:
+  . Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge
+    list of candidate encodings (with 200,000+ entries). (Jordi Kroon)
+
 - Opcache:
   . Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris).
     (Petr Sumbera)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
@@ -3376,15 +3376,17 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c
 		return *elist;
 	}
 
-	/* Allocate on stack; when we return, this array is automatically freed */
-	struct candidate *array = alloca(elist_size * sizeof(struct candidate));
+	/* Allocate on stack or heap */
+	ALLOCA_FLAG(use_heap)
+	struct candidate *array = do_alloca(elist_size * sizeof(struct candidate), use_heap);
 	elist_size = init_candidate_array(array, elist_size, elist, strings, str_lengths, n, strict, order_significant);
 
 	while (n--) {
 		start_string(array, elist_size, strings[n], str_lengths[n]);
 		elist_size = count_demerits(array, elist_size, strict);
 		if (elist_size == 0) {
 			/* All candidates were eliminated */
+			free_alloca(array, use_heap);
 			return NULL;
 		}
 	}
@@ -3396,7 +3398,10 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c
 			best = i;
 		}
 	}
-	return array[best].enc;
+
+	const mbfl_encoding *result = array[best].enc;
+	free_alloca(array, use_heap);
+	return result;
 }
 
 /* When doing 'strict' detection, any string which is invalid in the candidate encoding
diff --git a/ext/mbstring/tests/gh21223.phpt b/ext/mbstring/tests/gh21223.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-21223 (Stack overflow in mb_guess_encoding called via mb_detect_encoding)
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+$str = "hello";
+
+$list = [];
+for ($i = 0; $i < 500000; $i++) {
+    $list[] = "UTF-8";
+}
+
+var_dump(mb_detect_encoding($str, $list, false));
+echo "Done";
+?>
+--EXPECT--
+string(5) "UTF-8"
+Done

Original file line number	Diff line number	Diff line change
`@@ -3376,15 +3376,17 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c`
`3376`	`3376`	`return *elist;`
`3377`	`3377`	`}`
`3378`	`3378`
`3379`		`- /* Allocate on stack; when we return, this array is automatically freed */`
`3380`		`- struct candidate array = alloca(elist_size sizeof(struct candidate));`
	`3379`	`+ /* Allocate on stack or heap */`
	`3380`	`+ ALLOCA_FLAG(use_heap)`
	`3381`	`+ struct candidate array = do_alloca(elist_size sizeof(struct candidate), use_heap);`
`3381`	`3382`	`elist_size = init_candidate_array(array, elist_size, elist, strings, str_lengths, n, strict, order_significant);`
`3382`	`3383`
`3383`	`3384`	`while (n--) {`
`3384`	`3385`	`start_string(array, elist_size, strings[n], str_lengths[n]);`
`3385`	`3386`	`elist_size = count_demerits(array, elist_size, strict);`
`3386`	`3387`	`if (elist_size == 0) {`
`3387`	`3388`	`/* All candidates were eliminated */`
	`3389`	`+ free_alloca(array, use_heap);`
`3388`	`3390`	`return NULL;`
`3389`	`3391`	`}`
`3390`	`3392`	`}`
`@@ -3396,7 +3398,10 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c`
`3396`	`3398`	`best = i;`
`3397`	`3399`	`}`
`3398`	`3400`	`}`
`3399`		`- return array[best].enc;`
	`3401`	`+`
	`3402`	`+ const mbfl_encoding *result = array[best].enc;`
	`3403`	`+ free_alloca(array, use_heap);`
	`3404`	`+ return result;`
`3400`	`3405`	`}`
`3401`	`3406`
`3402`	`3407`	`/* When doing 'strict' detection, any string which is invalid in the candidate encoding`