tony2001 Thu May 10 22:10:44 2007 UTC
Added files: (Branch: PHP_5_2)
/php-src/ext/standard/tests/strings strripos_offset.phpt
Modified files:
/php-src NEWS
/php-src/ext/standard string.c
Log:
MFH: fix segfault in strripos() when offset == INT_MAX+1
identified and repoted by Joxean Koret
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.694&r2=1.2027.2.547.2.695&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.694 php-src/NEWS:1.2027.2.547.2.695
--- php-src/NEWS:1.2027.2.547.2.694 Thu May 10 15:21:02 2007
+++ php-src/NEWS Thu May 10 22:10:43 2007
@@ -7,6 +7,7 @@
(Ilia)
- Fixed altering $this via argument named "this". (Dmitry)
- Fixed PHP CLI to use the php.ini from the binary location. (Hannes)
+- Fixed segfault in strripos(). (Tony, Joxean Koret)
- Fixed bug #41347 (checkdnsrr() segfaults on empty hostname). (Scott)
- Fixed bug #41337 (WSDL parsing doesn't ignore non soap bindings). (Dmitry)
- Fixed bug #41326 (Writing empty tags with Xmlwriter::WriteElement[ns])
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.54&r2=1.445.2.14.2.55&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.445.2.14.2.54
php-src/ext/standard/string.c:1.445.2.14.2.55
--- php-src/ext/standard/string.c:1.445.2.14.2.54 Mon Mar 26 10:25:41 2007
+++ php-src/ext/standard/string.c Thu May 10 22:10:43 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.445.2.14.2.54 2007/03/26 10:25:41 tony2001 Exp $ */
+/* $Id: string.c,v 1.445.2.14.2.55 2007/05/10 22:10:43 tony2001 Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -1856,7 +1856,7 @@
e = haystack + haystack_len - 1;
} else {
p = haystack;
- if (-offset > haystack_len) {
+ if (-offset > haystack_len || -offset < 0) {
php_error_docref(NULL TSRMLS_CC, E_NOTICE,
"Offset is greater than the length of haystack string");
RETURN_FALSE;
} else {
@@ -1889,7 +1889,7 @@
p = haystack_dup + offset;
e = haystack_dup + haystack_len - needle_len;
} else {
- if (-offset > haystack_len) {
+ if (-offset > haystack_len || -offset < 0) {
efree(needle_dup);
efree(haystack_dup);
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is
greater than the length of haystack string");
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/strripos_offset.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/strings/strripos_offset.phpt
+++ php-src/ext/standard/tests/strings/strripos_offset.phpt
--TEST--
strripos() offset integer overflow
--FILE--
<?php
var_dump(strripos("t", "t", PHP_INT_MAX+1));
var_dump(strripos("tttt", "tt", PHP_INT_MAX+1));
var_dump(strripos(100, 101, PHP_INT_MAX+1));
var_dump(strripos(1024, 1024, PHP_INT_MAX+1));
var_dump(strripos(array(), array(), PHP_INT_MAX+1));
var_dump(strripos(1024, 1024, -PHP_INT_MAX));
var_dump(strripos(1024, "te", -PHP_INT_MAX));
var_dump(strripos(1024, 1024, -PHP_INT_MAX-1));
var_dump(strripos(1024, "te", -PHP_INT_MAX-1));
echo "Done\n";
?>
--EXPECTF--
bool(false)
bool(false)
bool(false)
bool(false)
Warning: strripos() expects parameter 1 to be string (Unicode or binary), array
given in %s on line %d
bool(false)
bool(false)
bool(false)
bool(false)
bool(false)
Done
--UEXPECTF--
bool(false)
bool(false)
bool(false)
bool(false)
Warning: strripos() expects parameter 1 to be string (Unicode or binary), array
given in %s on line %d
bool(false)
bool(false)
bool(false)
bool(false)
bool(false)
Done
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
