standard string.c

Antony Dovgal Thu, 07 Jul 2005 08:23:29 -0700

tony2001                Thu Jul  7 11:19:41 2005 EDT

  Modified files:              
    /php-src    NEWS 
    /php-src/ext/standard       string.c 
  Log:
  fix #33605 (substr_compare() crashes with negative offset & length)
  
  
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1985&r2=1.1986&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1985 php-src/NEWS:1.1986
--- php-src/NEWS:1.1985 Thu Jul  7 11:16:56 2005
+++ php-src/NEWS        Thu Jul  7 11:19:40 2005
@@ -10,6 +10,8 @@
 - Fixed memory corruption in pg_copy_from() in case the as_null parameter was
   passed. (Derick)
 - Fixed crash inside stream_get_line() when length parameter equals 0. (Ilia)
+- Fixed bug #33605 (substr_compare() crashes with negative offset and length). 
+  (Tony)
 - Fixed bug #33578 (strtotime() doesn't understand "11 Oct" format). (Derick)
 - Fixed bug #33562 (date("") crashes). (Derick)
 - Fixed bug #33536 (strtotime() defaults to now even on non time string).
http://cvs.php.net/diff.php/php-src/ext/standard/string.c?r1=1.441&r2=1.442&ty=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.441 php-src/ext/standard/string.c:1.442
--- php-src/ext/standard/string.c:1.441 Sun Jun 19 12:31:51 2005
+++ php-src/ext/standard/string.c       Thu Jul  7 11:19:40 2005
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.441 2005/06/19 16:31:51 iliaa Exp $ */
+/* $Id: string.c,v 1.442 2005/07/07 15:19:40 tony2001 Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -4446,6 +4446,10 @@
        
        if (ac > 2) {
                convert_to_long_ex(offset);
+               if (Z_LVAL_PP(offset) < 0) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset 
should be greater then or equal to 0.");
+                       RETURN_FALSE;           
+               }
                p += Z_LVAL_PP(offset);
                if (p > endp) {
                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset 
value %ld exceeds string length.", Z_LVAL_PP(offset));
@@ -4453,6 +4457,10 @@
                }
                if (ac == 4) {
                        convert_to_long_ex(length);
+                       if (Z_LVAL_PP(length) <= 0) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Length should be greater than 0.");
+                               RETURN_FALSE;           
+                       }
                        if ((p + Z_LVAL_PP(length)) > endp) {
                                php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Length value %ld exceeds string length.", Z_LVAL_PP(length));
                                RETURN_FALSE;


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src / NEWS /ext/standard string.c

Reply via email to