diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2021-02-18 10:29:19 +0100 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2021-02-18 10:34:54 +0100 |
commit | 85ffe8dcdc2fe39e06037e382e012674ee051e1e (patch) | |
tree | 191fbcbdb2bdfcb4f92ae2b9adb23b39477d3d54 | |
parent | 553a0c52b12d414c83130d845968fac5841236bf (diff) | |
download | php-git-85ffe8dcdc2fe39e06037e382e012674ee051e1e.tar.gz |
Avoid signed integer overflow in substr()
Perform negation after the (size_t) cast rather than before,
so as to avoid a signed integer overflow for PHP_INT_MIN.
Fixes oss-fuzz #31069.
-rw-r--r-- | ext/standard/string.c | 4 | ||||
-rw-r--r-- | ext/standard/tests/strings/substr_int_min.phpt | 10 |
2 files changed, 12 insertions, 2 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index 8d0754347a..cf77435f80 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -2177,7 +2177,7 @@ PHP_FUNCTION(substr) /* if "from" position is negative, count start position from the end * of the string */ - if ((size_t)-f > ZSTR_LEN(str)) { + if (-(size_t)f > ZSTR_LEN(str)) { f = 0; } else { f = (zend_long)ZSTR_LEN(str) + f; @@ -2191,7 +2191,7 @@ PHP_FUNCTION(substr) /* if "length" position is negative, set it to the length * needed to stop that many chars from the end of the string */ - if ((size_t)(-l) > ZSTR_LEN(str) - (size_t)f) { + if (-(size_t)l > ZSTR_LEN(str) - (size_t)f) { l = 0; } else { l = (zend_long)ZSTR_LEN(str) - f + l; diff --git a/ext/standard/tests/strings/substr_int_min.phpt b/ext/standard/tests/strings/substr_int_min.phpt new file mode 100644 index 0000000000..4c00577e28 --- /dev/null +++ b/ext/standard/tests/strings/substr_int_min.phpt @@ -0,0 +1,10 @@ +--TEST-- +substr() with PHP_INT_MIN offset or length +--FILE-- +<?php +var_dump(substr('x', PHP_INT_MIN)); +var_dump(substr('x', 0, PHP_INT_MIN)); +?> +--EXPECT-- +string(1) "x" +string(0) "" |