From fd4fd8248970470f25deb4409e72207f6ed52959 Mon Sep 17 00:00:00 2001
From: Ralf Lang <ralf.lang@ralf-lang.de>
Date: Mon, 16 Mar 2026 20:39:58 +0100
Subject: [PATCH] fix(string): prevent out-of-bounds access in validUtf8()

Port PR #4 from pravussum to both lib/ and src/ versions.

Fixes "Uninitialized string offset" error when validUtf8() processes
truncated UTF-8 multi-byte sequences at the end of a string.

Co-authored-by: pravussum <pravussum@users.noreply.github.com>
---
 lib/Horde/String.php | 3 +++
 src/HordeString.php  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/lib/Horde/String.php b/lib/Horde/String.php
index 9027d26..51137b6 100644
--- a/lib/Horde/String.php
+++ b/lib/Horde/String.php
@@ -950,6 +950,9 @@ public static function validUtf8($text)
                 }
 
                 do {
+                    if ($i + 1 >= $len) {
+                        return false;
+                    }
                     $c = ord($text[++$i]);
                     if (($c < 128) || ($c > 191)) {
                         return false;
diff --git a/src/HordeString.php b/src/HordeString.php
index e6f9b56..55b64c4 100644
--- a/src/HordeString.php
+++ b/src/HordeString.php
@@ -915,6 +915,9 @@ public static function validUtf8($text)
                 }
 
                 do {
+                    if ($i + 1 >= $len) {
+                        return false;
+                    }
                     $c = ord($text[++$i]);
                     if (($c < 128) || ($c > 191)) {
                         return false;