Ensure that the input to chr() is between 0 and 255.

pabzm · pabzm · commit 7a6b6296a613 · 2025-09-08T15:29:16.000+02:00
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
@@ -724,7 +724,14 @@ public static function file2class($mimetype, $filename)
     public static function xss_entity_decode($content)
     {
         $callback = static function ($matches) {
-            return chr(hexdec($matches[1]));
+            $bytevalue = hexdec((string) $matches[1]);
+            // chr() only covers values between 0 and 255. The following 4 lines are from the former default behaviour
+            // to ensure that, which is now deprecated, so we now explicitly do the shifting here.
+            while ($bytevalue < 0) {
+                $bytevalue += 256;
+            }
+            $bytevalue %= 256;
+            return chr($bytevalue);
         };
 
         $out = html_entity_decode(html_entity_decode($content));
