tony2001 Thu May 10 22:08:36 2007 UTC
Added files:
/php-src/ext/standard/tests/strings strripos_offset.phpt
Modified files:
/php-src/ext/standard string.c
Log:
fix segfault in strripos() when offset == INT_MAX+1
identified and repoted by Joxean Koret
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.634&r2=1.635&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.634 php-src/ext/standard/string.c:1.635
--- php-src/ext/standard/string.c:1.634 Sun Apr 22 19:22:19 2007
+++ php-src/ext/standard/string.c Thu May 10 22:08:35 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.634 2007/04/22 19:22:19 tony2001 Exp $ */
+/* $Id: string.c,v 1.635 2007/05/10 22:08:35 tony2001 Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -2915,7 +2915,7 @@
u_e = haystack.u + haystack_len - needle_len;
} else {
u_p = haystack.u;
- if (-offset > haystack_len) {
+ if (-offset > haystack_len || -offset < 0) {
RETURN_FALSE;
} else {
cu_offset = haystack_len;
@@ -2953,7 +2953,7 @@
e = haystack.s + haystack_len - 1;
} else {
p = haystack.s;
- if (-offset > haystack_len) {
+ if (-offset > haystack_len || -offset < 0) {
RETURN_FALSE;
} else {
e = haystack.s + haystack_len + offset;
@@ -2984,7 +2984,7 @@
p = haystack_dup + offset;
e = haystack_dup + haystack_len - needle_len;
} else {
- if (-offset > haystack_len) {
+ if (-offset > haystack_len || -offset < 0) {
efree(haystack_dup);
efree(needle_dup);
RETURN_FALSE;
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/strripos_offset.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/strings/strripos_offset.phpt
+++ php-src/ext/standard/tests/strings/strripos_offset.phpt
--TEST--
strripos() offset integer overflow
--FILE--
<?php
var_dump(strripos("t", "t", PHP_INT_MAX+1));
var_dump(strripos("tttt", "tt", PHP_INT_MAX+1));
var_dump(strripos(100, 101, PHP_INT_MAX+1));
var_dump(strripos(1024, 1024, PHP_INT_MAX+1));
var_dump(strripos(array(), array(), PHP_INT_MAX+1));
var_dump(strripos(1024, 1024, -PHP_INT_MAX));
var_dump(strripos(1024, "te", -PHP_INT_MAX));
var_dump(strripos(1024, 1024, -PHP_INT_MAX-1));
var_dump(strripos(1024, "te", -PHP_INT_MAX-1));
echo "Done\n";
?>
--EXPECTF--
bool(false)
bool(false)
bool(false)
bool(false)
Warning: strripos() expects parameter 1 to be string (Unicode or binary), array
given in %s on line %d
bool(false)
bool(false)
bool(false)
bool(false)
bool(false)
Done
--UEXPECTF--
bool(false)
bool(false)
bool(false)
bool(false)
Warning: strripos() expects parameter 1 to be string (Unicode or binary), array
given in %s on line %d
bool(false)
bool(false)
bool(false)
bool(false)
bool(false)
Done
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
