diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-08-30 14:48:24 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-08-30 14:52:47 +0200 |
commit | 2f10db36af2776f386b7433c5cbfe79e66edd14d (patch) | |
tree | 833f6862c475ae1f556aff1a3e58fd7fee7dfee7 | |
parent | af7828a20f085c6cd2b720b093ee08f299505257 (diff) | |
download | php-git-2f10db36af2776f386b7433c5cbfe79e66edd14d.tar.gz |
Fix #66797: mb_substr only takes 32-bit signed integer
`from` and `len` are `long`, but get passed to mbfl_substr() which expects
`int`s. Therefore we clamp the values to avoid the undefined conversion
behavior.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/mbstring/mbstring.c | 7 | ||||
-rw-r--r-- | ext/mbstring/tests/bug66797.phpt | 23 |
3 files changed, 33 insertions, 0 deletions
@@ -31,6 +31,9 @@ PHP NEWS - JSON: . Fixed bug #72787 (json_decode reads out of bounds). (Jakub Zelenka) +- mbstring: + . Fixed bug #66797 (mb_substr only takes 32-bit signed integer). (cmb) + - MSSQL: . Fixed bug #72039 (Use of uninitialised value on mssql_guid_string). (Kalle) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index 1cfaf2cc36..ee8a00912b 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -2799,6 +2799,13 @@ PHP_FUNCTION(mb_substr) RETURN_FALSE; } + if (from > INT_MAX) { + from = INT_MAX; + } + if (len > INT_MAX) { + len = INT_MAX; + } + ret = mbfl_substr(&string, &result, from, len); if (NULL == ret) { RETURN_FALSE; diff --git a/ext/mbstring/tests/bug66797.phpt b/ext/mbstring/tests/bug66797.phpt new file mode 100644 index 0000000000..df9e789be6 --- /dev/null +++ b/ext/mbstring/tests/bug66797.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #66797 (mb_substr only takes 32-bit signed integer) +--SKIPIF-- +<?php +if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); +if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only'); +?> +--FILE-- +<?php +var_dump( + mb_substr('bar', 0, 0x7fffffff), + mb_substr('bar', 0, 0x80000000), + mb_substr('bar', 0xffffffff, 1), + mb_substr('bar', 0x100000000, 1) +); +?> +==DONE== +--EXPECTF-- +string(3) "bar" +string(3) "bar" +string(0) "" +string(0) "" +==DONE== |