iliaa Fri Mar 9 01:58:35 2007 UTC Added files: (Branch: PHP_5_2) /php-src/ext/standard/tests/strings bug40754.phpt
Modified files: /php-src/ext/standard string.c /php-src NEWS Log: Fixed bug #40754 (added substr() & substr_replace() overflow checks). http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.49&r2=1.445.2.14.2.50&diff_format=u Index: php-src/ext/standard/string.c diff -u php-src/ext/standard/string.c:1.445.2.14.2.49 php-src/ext/standard/string.c:1.445.2.14.2.50 --- php-src/ext/standard/string.c:1.445.2.14.2.49 Thu Mar 8 00:47:04 2007 +++ php-src/ext/standard/string.c Fri Mar 9 01:58:34 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: string.c,v 1.445.2.14.2.49 2007/03/08 00:47:04 stas Exp $ */ +/* $Id: string.c,v 1.445.2.14.2.50 2007/03/09 01:58:34 iliaa Exp $ */ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ @@ -2063,11 +2063,17 @@ if (argc > 2) { convert_to_long_ex(len); l = Z_LVAL_PP(len); + if (l > Z_STRLEN_PP(str) || (l < 0 && -l > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } } else { l = Z_STRLEN_PP(str); } f = Z_LVAL_PP(from); + if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } /* if "from" position is negative, count start position from the end * of the string @@ -2190,6 +2196,12 @@ } } + if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } else if (l > Z_STRLEN_PP(str) || (l < 0 && -l > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } + if ((f + l) > Z_STRLEN_PP(str)) { l = Z_STRLEN_PP(str) - f; } http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.581&r2=1.2027.2.547.2.582&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.581 php-src/NEWS:1.2027.2.547.2.582 --- php-src/NEWS:1.2027.2.547.2.581 Thu Mar 8 22:53:37 2007 +++ php-src/NEWS Fri Mar 9 01:58:34 2007 @@ -16,6 +16,7 @@ - Added tidyNode::getParent() method (John, Nuno) - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry) - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek) +- Fixed bug #40754 (added substr() & substr_replace() overflow checks). (Ilia) - Fixed bug #40752 (parse_ini_file() segfaults when a scalar setting is redeclared as an array). (Tony) - Fixed bug #40727 (segfault in PDO when failed to bind parameters). (Tony) http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/bug40754.phpt?view=markup&rev=1.1 Index: php-src/ext/standard/tests/strings/bug40754.phpt +++ php-src/ext/standard/tests/strings/bug40754.phpt -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php