[PHP-CVS] cvs: php-src /ext/standard string.c /ext/standard/tests/strings strrpos_offset.phpt

Mon, 21 Jul 2008 18:06:11 -0700 

scottmac                Tue Jul 22 01:05:56 2008 UTC

  Added files:                 
    /php-src/ext/standard/tests/strings strrpos_offset.phpt 

  Modified files:              
    /php-src/ext/standard       string.c 
  Log:
  Fix integer oveflow in strrpos()
  
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.676&r2=1.677&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.676 php-src/ext/standard/string.c:1.677
--- php-src/ext/standard/string.c:1.676 Tue Jul 15 14:44:46 2008
+++ php-src/ext/standard/string.c       Tue Jul 22 01:05:55 2008
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.676 2008/07/15 14:44:46 scottmac Exp $ */
+/* $Id: string.c,v 1.677 2008/07/22 01:05:55 scottmac Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -2795,7 +2795,7 @@
                        u_e = haystack.u + haystack_len - needle_len;
                } else {
                        u_p = haystack.u;
-                       if (-offset > haystack_len) {
+                       if (-offset > haystack_len || offset < -INT_MAX) {
                                php_error_docref(NULL TSRMLS_CC, E_NOTICE, 
"Offset is greater than the length of haystack string");
                                RETURN_FALSE;
                        } else {
@@ -2832,7 +2832,7 @@
                        p = haystack.s + offset;
                        e = haystack.s + haystack_len - needle_len;
                } else {
-                       if (-offset > haystack_len) {
+                       if (-offset > haystack_len || offset < -INT_MAX) {
                                php_error_docref(NULL TSRMLS_CC, E_NOTICE, 
"Offset is greater than the length of haystack string");
                                RETURN_FALSE;
                        }

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/strrpos_offset.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/strings/strrpos_offset.phpt
+++ php-src/ext/standard/tests/strings/strrpos_offset.phpt
--TEST--
strrpos() offset integer overflow
--FILE--
<?php

var_dump(strrpos("t", "t", PHP_INT_MAX+1));
var_dump(strrpos("tttt", "tt", PHP_INT_MAX+1));
var_dump(strrpos(100, 101, PHP_INT_MAX+1));
var_dump(strrpos(1024, 1024, PHP_INT_MAX+1));
var_dump(strrpos(1024, 1024, -PHP_INT_MAX));
var_dump(strrpos(1024, "te", -PHP_INT_MAX));
var_dump(strrpos(1024, 1024, -PHP_INT_MAX-1));
var_dump(strrpos(1024, "te", -PHP_INT_MAX-1));

echo "Done\n";
?>
--EXPECTF--
Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)

Notice: strrpos(): Offset is greater than the length of haystack string in %s 
on line %d
bool(false)
Done



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to