diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-12-16 17:01:15 +0100 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-12-16 17:01:15 +0100 |
| commit | c56701690a184c13fa850e9946f09bac7172c604 (patch) | |
| tree | ae1f9705218540ee0ecbc876028c23de23126e50 | |
| parent | 205d209de931d5c5e1535277531a7e4dc8a6000a (diff) | |
| download | php-git-c56701690a184c13fa850e9946f09bac7172c604.tar.gz | |
Detect overlarge step for character range()
This was done for int and float ranges, but not char ranges.
Fixes oss-fuzz #28666.
| -rw-r--r-- | ext/standard/array.c | 4 | ||||
| -rw-r--r-- | ext/standard/tests/array/range_errors.phpt | 22 |
2 files changed, 24 insertions, 2 deletions
diff --git a/ext/standard/array.c b/ext/standard/array.c index f99af84611..3967d83242 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -2756,7 +2756,7 @@ PHP_FUNCTION(range) high = (unsigned char)Z_STRVAL_P(zhigh)[0]; if (low > high) { /* Negative Steps */ - if (lstep <= 0) { + if (low - high < lstep || lstep <= 0) { err = 1; goto err; } @@ -2773,7 +2773,7 @@ PHP_FUNCTION(range) } } ZEND_HASH_FILL_END(); } else if (high > low) { /* Positive Steps */ - if (lstep <= 0) { + if (high - low < lstep || lstep <= 0) { err = 1; goto err; } diff --git a/ext/standard/tests/array/range_errors.phpt b/ext/standard/tests/array/range_errors.phpt index dd8b69a82a..7bc552ee97 100644 --- a/ext/standard/tests/array/range_errors.phpt +++ b/ext/standard/tests/array/range_errors.phpt @@ -47,6 +47,20 @@ try { echo $e->getMessage(), "\n"; } +echo "\n\n-- Testing ( (low < high) && (high-low < step) ) for characters --\n"; +try { + var_dump(range('a', 'z', 100)); +} catch (\ValueError $e) { + echo $e->getMessage(), "\n"; +} + +echo "\n\n-- Testing ( (low > high) && (low-high < step) ) for characters --\n"; +try { + var_dump(range('z', 'a', 100)); +} catch (\ValueError $e) { + echo $e->getMessage(), "\n"; +} + echo "\n-- Testing other conditions --\n"; try { var_dump( range(-1, -2, 2) ); @@ -97,6 +111,14 @@ range(): Argument #3 ($step) must not exceed the specified range -- Testing ( (low > high) && (low-high < step) ) -- range(): Argument #3 ($step) must not exceed the specified range + +-- Testing ( (low < high) && (high-low < step) ) for characters -- +range(): Argument #3 ($step) must not exceed the specified range + + +-- Testing ( (low > high) && (low-high < step) ) for characters -- +range(): Argument #3 ($step) must not exceed the specified range + -- Testing other conditions -- range(): Argument #3 ($step) must not exceed the specified range range(): Argument #3 ($step) must be of type int|float, string given |