diff options
| author | Scott MacVicar <scottmac@php.net> | 2008-07-22 01:10:58 +0000 |
|---|---|---|
| committer | Scott MacVicar <scottmac@php.net> | 2008-07-22 01:10:58 +0000 |
| commit | 6c48a01f40ff390c811f7080a19284c6e093980c (patch) | |
| tree | da22fa8a37b7d39b8c702657a05b2735f93f2385 | |
| parent | f349c14414c61c706b466d4bb2bd7e3de3087a2e (diff) | |
| download | php-git-6c48a01f40ff390c811f7080a19284c6e093980c.tar.gz | |
MFH: Fix integer oveflow in strrpos()
| -rw-r--r-- | ext/standard/string.c | 2 | ||||
| -rw-r--r-- | ext/standard/tests/strings/strrpos_offset.phpt | 41 |
2 files changed, 42 insertions, 1 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index 9930110624..3d6dabfe7a 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -1842,7 +1842,7 @@ PHP_FUNCTION(strrpos) p = haystack + offset; e = haystack + haystack_len - needle_len; } else { - if (-offset > haystack_len) { + if (-offset > haystack_len || offset < -INT_MAX) { php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string"); RETURN_FALSE; } diff --git a/ext/standard/tests/strings/strrpos_offset.phpt b/ext/standard/tests/strings/strrpos_offset.phpt new file mode 100644 index 0000000000..6d641ab1e1 --- /dev/null +++ b/ext/standard/tests/strings/strrpos_offset.phpt @@ -0,0 +1,41 @@ +--TEST-- +strrpos() offset integer overflow +--FILE-- +<?php + +var_dump(strrpos("t", "t", PHP_INT_MAX+1)); +var_dump(strrpos("tttt", "tt", PHP_INT_MAX+1)); +var_dump(strrpos(100, 101, PHP_INT_MAX+1)); +var_dump(strrpos(1024, 1024, PHP_INT_MAX+1)); +var_dump(strrpos(1024, 1024, -PHP_INT_MAX)); +var_dump(strrpos(1024, "te", -PHP_INT_MAX)); +var_dump(strrpos(1024, 1024, -PHP_INT_MAX-1)); +var_dump(strrpos(1024, "te", -PHP_INT_MAX-1)); + +echo "Done\n"; +?> +--EXPECTF-- +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) +Done |