fix #33605 (substr_compare() crashes with negative offset & length)

2 files changed, 10 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 20aee85b3d..20ff8f09ac 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,8 @@ PHP                                                                        NEWS
 - Fixed memory corruption in pg_copy_from() in case the as_null parameter was
   passed. (Derick)
 - Fixed crash inside stream_get_line() when length parameter equals 0. (Ilia)
+- Fixed bug #33605 (substr_compare() crashes with negative offset and length). 
+  (Tony)
 - Fixed bug #33578 (strtotime() doesn't understand "11 Oct" format). (Derick)
 - Fixed bug #33562 (date("") crashes). (Derick)
 - Fixed bug #33536 (strtotime() defaults to now even on non time string).
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 31a6d7d295..10e9f8dbcf 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4446,6 +4446,10 @@ PHP_FUNCTION(substr_count)
 	
 	if (ac > 2) {
 		convert_to_long_ex(offset);
+		if (Z_LVAL_PP(offset) < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset should be greater then or equal to 0.");
+			RETURN_FALSE;		
+		}
 		p += Z_LVAL_PP(offset);
 		if (p > endp) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset value %ld exceeds string length.", Z_LVAL_PP(offset));
@@ -4453,6 +4457,10 @@ PHP_FUNCTION(substr_count)
 		}
 		if (ac == 4) {
 			convert_to_long_ex(length);
+			if (Z_LVAL_PP(length) <= 0) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be greater than 0.");
+				RETURN_FALSE;		
+			}
 			if ((p + Z_LVAL_PP(length)) > endp) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length value %ld exceeds string length.", Z_LVAL_PP(length));
 				RETURN_FALSE;