From 03113b09ce5ff3dd5f55650c74424767a1fccdff Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sun, 4 Jan 2026 16:11:58 +0100 Subject: [PATCH] Fix GH-20833: mb_str_pad() divide by zero if padding string is invalid in the encoding If the padding string is not valid in the given encoding, mb_get_strlen() can return 0. Closes GH-20834. --- NEWS | 4 ++++ ext/mbstring/mbstring.c | 5 +++++ ext/mbstring/tests/gh20833.phpt | 16 ++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 ext/mbstring/tests/gh20833.phpt diff --git a/NEWS b/NEWS index 3b76cc8363112..fc4f5d3d2978c 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.4.18 +- MbString: + . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is + invalid in the encoding). (ndossche) + - Readline: . Fixed bug GH-18139 (Memory leak when overriding some settings via readline_info()). (ndossche) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index 3c3200636ec2c..1491e1728cd58 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -5848,6 +5848,11 @@ PHP_FUNCTION(mb_str_pad) } size_t pad_length = mb_get_strlen(pad, encoding); + if (pad_length == 0) { + /* Possible with invalidly encoded padding string. */ + zend_argument_must_not_be_empty_error(3); + RETURN_THROWS(); + } size_t num_mb_pad_chars = pad_to_length - input_length; diff --git a/ext/mbstring/tests/gh20833.phpt b/ext/mbstring/tests/gh20833.phpt new file mode 100644 index 0000000000000..099aa3379238f --- /dev/null +++ b/ext/mbstring/tests/gh20833.phpt @@ -0,0 +1,16 @@ +--TEST-- +GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding) +--EXTENSIONS-- +mbstring +--FILE-- +getMessage(), "\n"; +} +?> +--EXPECT-- +ValueError: mb_str_pad(): Argument #3 ($pad_string) must not be empty