Fix chunk_split fix - avoid using floats

Fix money_format - don't give strfmon more arguments then supplied
Fix str[c]spn integer overflow

diff --git a/ext/standard/string.c b/ext/standard/string.c
index ca481223457416a9be1182e022dee63a5ca8dc35..161f7e51d598e740cae85268640c878900475257 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -239,10 +239,14 @@ static void php_spn_common_handler(INTERNAL_FUNCTION_PARAMETERS, int behavior) /
                }
        }
        
-       if ((start + len) > len1) {
+       if (len > len1 - start) {
                len = len1 - start;
        }
 
+       if(len == 0) {
+               RETURN_LONG(0);
+       }
+
        if (behavior == STR_STRSPN) {
                RETURN_LONG(php_strspn(s11 + start /*str1_start*/,
                                                s22 /*str2_start*/,
@@ -1956,18 +1960,23 @@ static char *php_chunk_split(char *src, int srclen, char *end, int endlen, int c
        char *p, *q;
        int chunks; /* complete chunks! */
        int restlen;
-       float out_len; 
+       int out_len; 
 
        chunks = srclen / chunklen;
        restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
+       if(chunks > INT_MAX - 1) {
+               return NULL;
+       }
        out_len = chunks + 1;
+       if(out_len > INT_MAX/endlen) {
+               return NULL;
+       }
        out_len *= endlen;
-       out_len += srclen + 1;
-
-       if (out_len > INT_MAX || out_len <= 0) {
+       if(out_len > INT_MAX - srclen - 1) {
                return NULL;
        }
+       out_len += srclen + 1;
 
        dest = safe_emalloc((int)out_len, sizeof(char), 0);
 
@@ -4985,13 +4994,28 @@ PHP_FUNCTION(str_word_count)
 PHP_FUNCTION(money_format)
 {
        int format_len = 0, str_len;
-       char *format, *str;
+       char *format, *str, *p, *e;
        double value;
+       zend_bool check = 0;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd", &format, &format_len, &value) == FAILURE) {
                return;
        }
 
+       p = format;
+       e = p + format_len;
+       while ((p = memchr(p, '%', (e - p)))) {
+               if (*(p + 1) == '%') {
+                       p += 2; 
+               } else if (!check) {
+                       check = 1;
+                       p++;
+               } else {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used");
+                       RETURN_FALSE;
+               }
+       }
+
        str_len = format_len + 1024;
        str = emalloc(str_len);
        if ((str_len = strfmon(str, str_len, format, value)) < 0) {