Fix #66797: mb_substr only takes 32-bit signed integer

`from` and `len` are `long`, but get passed to mbfl_substr() which expects `int`s. Therefore we clamp the values to avoid the undefined conversion behavior.
author: Christoph M. Becker <cmbecker69@gmx.de> 2016-08-30 14:48:24 +0200
committer: Christoph M. Becker <cmbecker69@gmx.de> 2016-08-30 14:52:47 +0200
commit: 2f10db36af2776f386b7433c5cbfe79e66edd14d (patch)
tree: 833f6862c475ae1f556aff1a3e58fd7fee7dfee7 /ext/mbstring/mbstring.c
parent: af7828a20f085c6cd2b720b093ee08f299505257 (diff)
download: php-git-2f10db36af2776f386b7433c5cbfe79e66edd14d.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 1cfaf2cc36..ee8a00912b 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -2799,6 +2799,13 @@ PHP_FUNCTION(mb_substr)
 		RETURN_FALSE;
 	}
 
+	if (from > INT_MAX) {
+		from = INT_MAX;
+	}
+	if (len > INT_MAX) {
+		len = INT_MAX;
+	}
+
 	ret = mbfl_substr(&string, &result, from, len);
 	if (NULL == ret) {
 		RETURN_FALSE;
author	Christoph M. Becker <cmbecker69@gmx.de>	2016-08-30 14:48:24 +0200
committer	Christoph M. Becker <cmbecker69@gmx.de>	2016-08-30 14:52:47 +0200
commit	2f10db36af2776f386b7433c5cbfe79e66edd14d (patch)
tree	833f6862c475ae1f556aff1a3e58fd7fee7dfee7 /ext/mbstring/mbstring.c
parent	af7828a20f085c6cd2b720b093ee08f299505257 (diff)
download	php-git-2f10db36af2776f386b7433c5cbfe79e66edd14d.tar.gz