diff options
Diffstat (limited to 'ext/standard/string.c')
| -rw-r--r-- | ext/standard/string.c | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index 9498496fce..da473d985c 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -2401,7 +2401,7 @@ PHP_FUNCTION(substr_replace) l = Z_STRLEN_PP(str); } - if ((f + l) > Z_STRLEN_PP(str)) { + if (f > Z_STRLEN_PP(str) - l) { l = Z_STRLEN_PP(str) - f; } if (Z_TYPE_PP(repl) == IS_ARRAY) { @@ -2414,7 +2414,7 @@ PHP_FUNCTION(substr_replace) repl_len = Z_STRLEN_PP(repl); } result_len = Z_STRLEN_PP(str) - l + repl_len; - result = emalloc(result_len + 1); + result = safe_emalloc_string(1, result_len, 1); memcpy(result, Z_STRVAL_PP(str), f); if (repl_len) { @@ -2556,7 +2556,7 @@ PHP_FUNCTION(substr_replace) result_len += Z_STRLEN_P(repl_str); zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl); - result = emalloc(result_len + 1); + result = safe_emalloc_string(1, result_len, 1); memcpy(result, Z_STRVAL_P(orig_str), f); memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str)); @@ -2565,7 +2565,7 @@ PHP_FUNCTION(substr_replace) zval_dtor(repl_str); } } else { - result = emalloc(result_len + 1); + result = safe_emalloc_string(1, result_len, 1); memcpy(result, Z_STRVAL_P(orig_str), f); memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); @@ -2573,7 +2573,7 @@ PHP_FUNCTION(substr_replace) } else { result_len += Z_STRLEN_PP(repl); - result = emalloc(result_len + 1); + result = safe_emalloc_string(1, result_len, 1); memcpy(result, Z_STRVAL_P(orig_str), f); memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl)); @@ -2620,7 +2620,7 @@ PHP_FUNCTION(quotemeta) RETURN_FALSE; } - str = safe_emalloc(2, old_len, 1); + str = safe_emalloc_string(2, old_len, 1); for (p = old, q = str; p != old_end; p++) { c = *p; @@ -3646,7 +3646,7 @@ PHPAPI int php_char_to_str_ex(char *str, uint len, char from, char *to, int to_l if (Z_STRLEN_P(result) < 0) { zend_error(E_ERROR, "String size overflow"); } - Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len + 1); + Z_STRVAL_P(result) = target = safe_emalloc_string(char_count, to_len, len + 1); Z_TYPE_P(result) = IS_STRING; if (case_sensitivity) { @@ -3776,7 +3776,7 @@ PHPAPI char *php_str_to_str_ex(char *haystack, int length, } return new_str; } else { - new_str = safe_emalloc(count, str_len - needle_len, length + 1); + new_str = safe_emalloc_string(count, str_len - needle_len, length + 1); } } @@ -4307,10 +4307,7 @@ PHP_FUNCTION(nl2br) size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1); new_length = str_len + repl_cnt * repl_len; - if (UNEXPECTED(new_length > INT_MAX)) { - zend_error(E_ERROR, "String size overflow"); - } - tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1); + tmp = target = safe_emalloc_string(repl_cnt, repl_len, str_len + 1); } while (str < end) { @@ -5303,7 +5300,7 @@ PHP_FUNCTION(str_pad) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Padding length is too long"); return; } - result = (char *)emalloc(input_len + num_pad_chars + 1); + result = (char *)safe_emalloc_string(1, input_len, num_pad_chars + 1); /* We need to figure out the left/right padding lengths. */ switch (pad_type_val) { |