tony2001 Fri May 19 10:20:44 2006 UTC
Modified files: (Branch: PHP_4_4)
/php-src/ext/standard string.c
Log:
fix invalid read in basename("/.gz", ".gz")
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.333.2.52.2.4&r2=1.333.2.52.2.5&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.333.2.52.2.4
php-src/ext/standard/string.c:1.333.2.52.2.5
--- php-src/ext/standard/string.c:1.333.2.52.2.4 Mon Mar 13 14:41:27 2006
+++ php-src/ext/standard/string.c Fri May 19 10:20:44 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.333.2.52.2.4 2006/03/13 14:41:27 iliaa Exp $ */
+/* $Id: string.c,v 1.333.2.52.2.5 2006/05/19 10:20:44 tony2001 Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -1063,12 +1063,14 @@
PHPAPI char *php_basename(char *s, size_t len, char *suffix, size_t sufflen)
{
char *ret=NULL, *c, *p=NULL, buf='\0', *p2=NULL, buf2='\0';
+ int cnt = len;
c = s + len - 1;
/* do suffix removal as the unix command does */
if (suffix && (len > sufflen)) {
if (!strncmp(suffix, c-sufflen+1, sufflen)) {
- c -= sufflen;
+ c -= sufflen;
+ cnt -= sufflen;
buf2 = *(c + 1); /* Save overwritten char */
*(c + 1) = '\0'; /* overwrite char */
p2 = c + 1; /* Save pointer to overwritten char */
@@ -1077,12 +1079,15 @@
/* strip trailing slashes */
- while (*c == '/'
+ while (cnt > 0 && (*c == '/'
#ifdef PHP_WIN32
|| (*c == '\\' && !IsDBCSLeadByte(*(c-1)))
#endif
- )
+ )) {
c--;
+ cnt--;
+ }
+
if (c+1 >= s && c < s+len-1) {
buf = *(c + 1); /* Save overwritten char */
*(c + 1) = '\0'; /* overwrite char */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
