diff options
| -rw-r--r-- | ext/standard/string.c | 2 | ||||
| -rw-r--r-- | ext/standard/tests/strings/strrpos_offset.phpt | 41 |
2 files changed, 42 insertions, 1 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index 9930110624..3d6dabfe7a 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -1842,7 +1842,7 @@ PHP_FUNCTION(strrpos) p = haystack + offset; e = haystack + haystack_len - needle_len; } else { - if (-offset > haystack_len) { + if (-offset > haystack_len || offset < -INT_MAX) { php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string"); RETURN_FALSE; } diff --git a/ext/standard/tests/strings/strrpos_offset.phpt b/ext/standard/tests/strings/strrpos_offset.phpt new file mode 100644 index 0000000000..6d641ab1e1 --- /dev/null +++ b/ext/standard/tests/strings/strrpos_offset.phpt @@ -0,0 +1,41 @@ +--TEST-- +strrpos() offset integer overflow +--FILE-- +<?php + +var_dump(strrpos("t", "t", PHP_INT_MAX+1)); +var_dump(strrpos("tttt", "tt", PHP_INT_MAX+1)); +var_dump(strrpos(100, 101, PHP_INT_MAX+1)); +var_dump(strrpos(1024, 1024, PHP_INT_MAX+1)); +var_dump(strrpos(1024, 1024, -PHP_INT_MAX)); +var_dump(strrpos(1024, "te", -PHP_INT_MAX)); +var_dump(strrpos(1024, 1024, -PHP_INT_MAX-1)); +var_dump(strrpos(1024, "te", -PHP_INT_MAX-1)); + +echo "Done\n"; +?> +--EXPECTF-- +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) +Done |