tony2001 Tue Apr 25 12:49:04 2006 UTC
Modified files:
/php-src/ext/standard/tests/strings bug33605.phpt
substr_compare.phpt
/php-src/ext/standard string.c
Log:
MF51: fix possible substr_compare() crash
add new tests
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/tests/strings/bug33605.phpt?r1=1.1&r2=1.2&diff_format=u
Index: php-src/ext/standard/tests/strings/bug33605.phpt
diff -u /dev/null php-src/ext/standard/tests/strings/bug33605.phpt:1.2
--- /dev/null Tue Apr 25 12:49:04 2006
+++ php-src/ext/standard/tests/strings/bug33605.phpt Tue Apr 25 12:49:04 2006
@@ -0,0 +1,11 @@
+--TEST--
+Bug #33605 (substr_compare crashes)
+--FILE--
+<?php
+$res = substr_compare("aa", "a", -99999999, 0, 0);
+var_dump($res);
+
+?>
+--EXPECTF--
+Warning: substr_compare(): The length must be greater than zero in %s on line
%d
+bool(false)
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/tests/strings/substr_compare.phpt?r1=1.1&r2=1.2&diff_format=u
Index: php-src/ext/standard/tests/strings/substr_compare.phpt
diff -u /dev/null php-src/ext/standard/tests/strings/substr_compare.phpt:1.2
--- /dev/null Tue Apr 25 12:49:04 2006
+++ php-src/ext/standard/tests/strings/substr_compare.phpt Tue Apr 25
12:49:04 2006
@@ -0,0 +1,41 @@
+--TEST--
+substr_compare()
+--FUNCTIONS--
+substr_compare
+--FILE--
+<?php
+
+var_dump(substr_compare("abcde", "bc", 1, 2));
+var_dump(substr_compare("abcde", "bcg", 1, 2));
+var_dump(substr_compare("abcde", "BC", 1, 2, true));
+var_dump(substr_compare("abcde", "bc", 1, 3));
+var_dump(substr_compare("abcde", "cd", 1, 2));
+var_dump(substr_compare("abcde", "abc", 5, 1));
+
+var_dump(substr_compare("abcde", -1, 0, NULL, new stdClass));
+echo "Test\n";
+var_dump(substr_compare("abcde", "abc", -1, NULL, -5));
+var_dump(substr_compare("abcde", -1, 0, "str", new stdClass));
+
+echo "Done\n";
+?>
+--EXPECTF--
+int(0)
+int(0)
+int(0)
+int(1)
+int(-1)
+
+Warning: substr_compare(): The start position cannot exceed initial string
length in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 5 to be boolean, object given in
%s on line %d
+bool(false)
+Test
+
+Warning: substr_compare(): The length must be greater than zero in %s on line
%d
+bool(false)
+
+Warning: substr_compare() expects parameter 4 to be long, string given in %s
on line %d
+bool(false)
+Done
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.540&r2=1.541&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.540 php-src/ext/standard/string.c:1.541
--- php-src/ext/standard/string.c:1.540 Tue Apr 18 05:18:12 2006
+++ php-src/ext/standard/string.c Tue Apr 25 12:49:04 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.540 2006/04/18 05:18:12 andrei Exp $ */
+/* $Id: string.c,v 1.541 2006/04/25 12:49:04 tony2001 Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -6814,12 +6814,18 @@
RETURN_FALSE;
}
- if (offset < 0) { /* negative offset, start comparison at the end of
string */
+ if (ZEND_NUM_ARGS() >= 4 && len <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length must be
greater than zero");
+ RETURN_FALSE;
+ }
+
+ if (offset < 0) {
offset = s1_len + offset;
+ offset = (offset < 0) ? 0 : offset;
}
if ((offset + len) >= s1_len) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position
cannot exceed initial string length.");
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position
cannot exceed initial string length");
RETURN_FALSE;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
