diff options
| author | Jay Smith <jay@php.net> | 2004-05-06 16:11:50 +0000 |
|---|---|---|
| committer | Jay Smith <jay@php.net> | 2004-05-06 16:11:50 +0000 |
| commit | 8f306fd7490d760f54b75dc4faafd79b87e815f2 (patch) | |
| tree | 0e6b73b2b9863ad521b06459285b315da2224a00 | |
| parent | c6bec7db3b38bfeba335de945f145a05ea611e18 (diff) | |
| download | php-git-8f306fd7490d760f54b75dc4faafd79b87e815f2.tar.gz | |
Fixed a segfault. (It's possible for large offsets to make strrpos()
read past the end of the haystack string...)
| -rw-r--r-- | ext/standard/string.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index 24bfd75c37..9bac292371 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -1614,7 +1614,9 @@ PHP_FUNCTION(strrpos) e = haystack + haystack_len - needle_len; } else { p = haystack; - if (needle_len > -offset) { + if (-offset > haystack_len) { + e = haystack - needle_len; + } else if (needle_len > -offset) { e = haystack + haystack_len - needle_len; } else { e = haystack + haystack_len + offset; @@ -1681,7 +1683,11 @@ PHP_FUNCTION(strripos) e = haystack + haystack_len - 1; } else { p = haystack; - e = haystack + haystack_len - offset; + if (-offset > haystack_len) { + e = haystack + haystack_len - 1; + } else { + e = haystack + haystack_len + offset; + } } /* Borrow that ord_needle buffer to avoid repeatedly tolower()ing needle */ *ord_needle = tolower(*needle); @@ -1704,7 +1710,9 @@ PHP_FUNCTION(strripos) e = haystack_dup + haystack_len - needle_len; } else { p = haystack_dup; - if (needle_len > -offset) { + if (-offset > haystack_len) { + e = haystack_dup - needle_len; + } else if (needle_len > -offset) { e = haystack_dup + haystack_len - needle_len; } else { e = haystack_dup + haystack_len + offset; |