Fixed bug #77454

NEWS

@@ -11,6 +11,10 @@ PHP                                                                        NEWS
   . Fixed bug #77272 (imagescale() may return image resource on failure). (cmb)
   . Fixed bug #77391 (1bpp BMPs may fail to be loaded). (Romain Déoux, cmb)
 
+- Mbstring:
+  . Fixed bug #77454 (mb_scrub() silently truncates after a null byte).
+    (64796c6e69 at gmail dot com)
+
 - MySQLnd:
   . Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has
     no external visibility). (Anatol)

ext/mbstring/mbstring.c

@@ -5260,11 +5260,9 @@ PHP_FUNCTION(mb_chr)
 /* }}} */
 
 
-static inline char* php_mb_scrub(const char* str, size_t str_len, const char* enc)
+static inline char* php_mb_scrub(const char* str, size_t str_len, const char* enc, size_t *ret_len)
 {
-	size_t ret_len;
-
-	return php_mb_convert_encoding(str, str_len, enc, enc, &ret_len);
+	return php_mb_convert_encoding(str, str_len, enc, enc, ret_len);
 }
 
 
@@ -5276,6 +5274,7 @@ PHP_FUNCTION(mb_scrub)
 	char *enc = NULL;
 	size_t enc_len;
 	char *ret;
+	size_t ret_len;
 
 	ZEND_PARSE_PARAMETERS_START(1, 2)
 		Z_PARAM_STRING(str, str_len)
@@ -5290,13 +5289,13 @@ PHP_FUNCTION(mb_scrub)
 		RETURN_FALSE;
 	}
 
-	ret = php_mb_scrub(str, str_len, enc);
+	ret = php_mb_scrub(str, str_len, enc, &ret_len);
 
 	if (ret == NULL) {
 		RETURN_FALSE;
 	}
 
-	RETVAL_STRING(ret);
+	RETVAL_STRINGL(ret, ret_len);
 	efree(ret);
 }
 /* }}} */

ext/mbstring/tests/bug77454.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #77454: mb_scrub() silently truncates after a null byte
+--FILE--
+<?php
+$str = "before\0after";
+function test($str, $enc) {
+    echo str_replace("\0", '\0', mb_scrub($str, $enc)), "\n";
+}
+test($str, 'latin1');
+test($str, 'utf-8');
+test($str, 'ascii');
+?>
+--EXPECT--
+before\0after
+before\0after
+before\0after