[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/standard string.c /ext/standard/tests/strings bug40754.phpt

Thu, 08 Mar 2007 17:58:44 -0800 

iliaa           Fri Mar  9 01:58:35 2007 UTC

  Added files:                 (Branch: PHP_5_2)
    /php-src/ext/standard/tests/strings bug40754.phpt 

  Modified files:              
    /php-src/ext/standard       string.c 
    /php-src    NEWS 
  Log:
  
  Fixed bug #40754 (added substr() & substr_replace() overflow checks). 
  
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.49&r2=1.445.2.14.2.50&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.445.2.14.2.49 
php-src/ext/standard/string.c:1.445.2.14.2.50
--- php-src/ext/standard/string.c:1.445.2.14.2.49       Thu Mar  8 00:47:04 2007
+++ php-src/ext/standard/string.c       Fri Mar  9 01:58:34 2007
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.445.2.14.2.49 2007/03/08 00:47:04 stas Exp $ */
+/* $Id: string.c,v 1.445.2.14.2.50 2007/03/09 01:58:34 iliaa Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -2063,11 +2063,17 @@
        if (argc > 2) {
                convert_to_long_ex(len);
                l = Z_LVAL_PP(len);
+               if (l > Z_STRLEN_PP(str) || (l < 0 && -l > Z_STRLEN_PP(str))) {
+                       RETURN_FALSE;
+               }
        } else {
                l = Z_STRLEN_PP(str);
        }
        
        f = Z_LVAL_PP(from);
+       if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) {
+               RETURN_FALSE;
+       }
 
        /* if "from" position is negative, count start position from the end
         * of the string
@@ -2190,6 +2196,12 @@
                                }
                        }
 
+                       if (f > Z_STRLEN_PP(str) || (f < 0 && -f > 
Z_STRLEN_PP(str))) {
+                               RETURN_FALSE;
+                       } else if (l > Z_STRLEN_PP(str) || (l < 0 && -l > 
Z_STRLEN_PP(str))) {
+                               RETURN_FALSE;
+                       }
+
                        if ((f + l) > Z_STRLEN_PP(str)) {
                                l = Z_STRLEN_PP(str) - f;
                        }
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.581&r2=1.2027.2.547.2.582&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.581 php-src/NEWS:1.2027.2.547.2.582
--- php-src/NEWS:1.2027.2.547.2.581     Thu Mar  8 22:53:37 2007
+++ php-src/NEWS        Fri Mar  9 01:58:34 2007
@@ -16,6 +16,7 @@
 - Added tidyNode::getParent() method (John, Nuno)
 - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
 - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
+- Fixed bug #40754 (added substr() & substr_replace() overflow checks). (Ilia)
 - Fixed bug #40752 (parse_ini_file() segfaults when a scalar setting is 
   redeclared as an array). (Tony)
 - Fixed bug #40727 (segfault in PDO when failed to bind parameters). (Tony)

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/bug40754.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/strings/bug40754.phpt
+++ php-src/ext/standard/tests/strings/bug40754.phpt

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to