- Fixed memory corruption in pg_copy_from() in case the as_null parameter was
passed. (Derick)
- Fixed crash inside stream_get_line() when length parameter equals 0. (Ilia)
+- Fixed bug #33605 (substr_compare() crashes with negative offset and length).
+ (Tony)
- Fixed bug #33578 (strtotime() doesn't understand "11 Oct" format). (Derick)
- Fixed bug #33562 (date("") crashes). (Derick)
- Fixed bug #33536 (strtotime() defaults to now even on non time string).
if (ac > 2) {
convert_to_long_ex(offset);
+ if (Z_LVAL_PP(offset) < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset should be greater then or equal to 0.");
+ RETURN_FALSE;
+ }
p += Z_LVAL_PP(offset);
if (p > endp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset value %ld exceeds string length.", Z_LVAL_PP(offset));
}
if (ac == 4) {
convert_to_long_ex(length);
+ if (Z_LVAL_PP(length) <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be greater than 0.");
+ RETURN_FALSE;
+ }
if ((p + Z_LVAL_PP(length)) > endp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length value %ld exceeds string length.", Z_LVAL_PP(length));
RETURN_FALSE;
projects / php / commitdiff