fix #36944 (strncmp & strncasecmp do not return false on negative string length)

2 files changed, 14 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 6f23dd2177..e81aadccb5 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
 - Fixed debug_zval_dump() to support private and protected members. (Dmitry)
 - Fixed SoapFault::getMessage(). (Dmitry)
 - Fixed bug #36957 (serialize() does not handle recursion). (Ilia)
+- Fixed bug #36944 (strncmp & strncasecmp do not return false on negative 
+  string length). (Tony)
 - Fixed bug #36941 (ArrayIterator does not clone itself). (Marcus)
 - Fixed bug #36898 (__set() leaks in classes extending internal ones). 
   (Tony, Dmitry)
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index 07e5bf6ad1..f4a432d028 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -314,6 +314,12 @@ ZEND_FUNCTION(strncmp)
 	convert_to_string_ex(s1);
 	convert_to_string_ex(s2);
 	convert_to_long_ex(s3);
+
+	if (Z_LVAL_PP(s3) < 0) {
+		zend_error(E_WARNING, "Length must be greater than or equal to 0");
+		RETURN_FALSE;
+	}
+	
 	RETURN_LONG(zend_binary_zval_strncmp(*s1, *s2, *s3));
 }
 /* }}} */
@@ -347,6 +353,12 @@ ZEND_FUNCTION(strncasecmp)
 	convert_to_string_ex(s1);
 	convert_to_string_ex(s2);
 	convert_to_long_ex(s3);
+
+	if (Z_LVAL_PP(s3) < 0) {
+		zend_error(E_WARNING, "Length must be greater than or equal to 0");
+		RETURN_FALSE;
+	}
+
 	RETURN_LONG(zend_binary_zval_strncasecmp(*s1, *s2, *s3));
 }
 /* }}} */