diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2018-12-29 14:17:23 +0100 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-01-06 12:24:15 -0800 |
| commit | e617f03066ce81d26f56c06d6bd7787c7de08703 (patch) | |
| tree | 10e221149035ff96fcffe9e70a996dfaf01e3a5a /ext/mbstring/php_mbregex.c | |
| parent | e40027ef0f508be87b323f61532cea0104212b53 (diff) | |
| download | php-git-e617f03066ce81d26f56c06d6bd7787c7de08703.tar.gz | |
Fix #77367: Negative size parameter in mb_split
When adding the last element to the result value of `mb_split`, the
`chunk_pos` may point beyond the end of the string, in which case the
unsigned `n` would underflow. Therefore, we check whether this is the
case in the first place, and only calculate `n` otherwise. Since `n`
is no longer used outside the block, we move its declaration inside.
Diffstat (limited to 'ext/mbstring/php_mbregex.c')
| -rw-r--r-- | ext/mbstring/php_mbregex.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c index 68922b6966..85219b00e4 100644 --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split) size_t string_len; int err; - size_t n; zend_long count = -1; if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) { @@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split) } /* otherwise we just have one last element to add to the array */ - n = ((OnigUChar *)(string + string_len) - chunk_pos); - if (n > 0) { + if ((OnigUChar *)(string + string_len) > chunk_pos) { + size_t n = ((OnigUChar *)(string + string_len) - chunk_pos); add_next_index_stringl(return_value, (char *)chunk_pos, n); } else { add_next_index_stringl(return_value, "", 0); |