scottmac Tue Jul 22 01:05:56 2008 UTC Added files: /php-src/ext/standard/tests/strings strrpos_offset.phpt
Modified files: /php-src/ext/standard string.c Log: Fix integer oveflow in strrpos() http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.676&r2=1.677&diff_format=u Index: php-src/ext/standard/string.c diff -u php-src/ext/standard/string.c:1.676 php-src/ext/standard/string.c:1.677 --- php-src/ext/standard/string.c:1.676 Tue Jul 15 14:44:46 2008 +++ php-src/ext/standard/string.c Tue Jul 22 01:05:55 2008 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: string.c,v 1.676 2008/07/15 14:44:46 scottmac Exp $ */ +/* $Id: string.c,v 1.677 2008/07/22 01:05:55 scottmac Exp $ */ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ @@ -2795,7 +2795,7 @@ u_e = haystack.u + haystack_len - needle_len; } else { u_p = haystack.u; - if (-offset > haystack_len) { + if (-offset > haystack_len || offset < -INT_MAX) { php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string"); RETURN_FALSE; } else { @@ -2832,7 +2832,7 @@ p = haystack.s + offset; e = haystack.s + haystack_len - needle_len; } else { - if (-offset > haystack_len) { + if (-offset > haystack_len || offset < -INT_MAX) { php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string"); RETURN_FALSE; } http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/strrpos_offset.phpt?view=markup&rev=1.1 Index: php-src/ext/standard/tests/strings/strrpos_offset.phpt +++ php-src/ext/standard/tests/strings/strrpos_offset.phpt --TEST-- strrpos() offset integer overflow --FILE-- <?php var_dump(strrpos("t", "t", PHP_INT_MAX+1)); var_dump(strrpos("tttt", "tt", PHP_INT_MAX+1)); var_dump(strrpos(100, 101, PHP_INT_MAX+1)); var_dump(strrpos(1024, 1024, PHP_INT_MAX+1)); var_dump(strrpos(1024, 1024, -PHP_INT_MAX)); var_dump(strrpos(1024, "te", -PHP_INT_MAX)); var_dump(strrpos(1024, 1024, -PHP_INT_MAX-1)); var_dump(strrpos(1024, "te", -PHP_INT_MAX-1)); echo "Done\n"; ?> --EXPECTF-- Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d bool(false) Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php