fix segfault in strripos() when offset == INT_MAX+1

identified and repoted by Joxean Koret

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 7f9d15b4e588c23bc27d706bfda21073bf4aaa52..f3f2210cf2608197ac3c5f8cadccd47e6cc05ac5 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2915,7 +2915,7 @@ PHP_FUNCTION(strripos)
                        u_e = haystack.u + haystack_len - needle_len;
                } else {
                        u_p = haystack.u;
-                       if (-offset > haystack_len) {
+                       if (-offset > haystack_len || -offset < 0) {
                                RETURN_FALSE;
                        } else {
                                cu_offset = haystack_len;
@@ -2953,7 +2953,7 @@ PHP_FUNCTION(strripos)
                                e = haystack.s + haystack_len - 1;
                        } else {
                                p = haystack.s;
-                               if (-offset > haystack_len) {
+                               if (-offset > haystack_len || -offset < 0) {
                                        RETURN_FALSE;
                                } else {
                                        e = haystack.s + haystack_len + offset;
@@ -2984,7 +2984,7 @@ PHP_FUNCTION(strripos)
                        p = haystack_dup + offset;
                        e = haystack_dup + haystack_len - needle_len;
                } else {
-                       if (-offset > haystack_len) {
+                       if (-offset > haystack_len || -offset < 0) {
                                efree(haystack_dup);
                                efree(needle_dup);
                                RETURN_FALSE;

diff --git a/ext/standard/tests/strings/strripos_offset.phpt b/ext/standard/tests/strings/strripos_offset.phpt
new file mode 100644 (file)
index 0000000..0dd22cb
--- /dev/null
+++ b/ext/standard/tests/strings/strripos_offset.phpt
@@ -0,0 +1,43 @@
+--TEST--
+strripos() offset integer overflow
+--FILE--
+<?php
+
+var_dump(strripos("t", "t", PHP_INT_MAX+1));
+var_dump(strripos("tttt", "tt", PHP_INT_MAX+1));
+var_dump(strripos(100, 101, PHP_INT_MAX+1));
+var_dump(strripos(1024, 1024, PHP_INT_MAX+1));
+var_dump(strripos(array(), array(), PHP_INT_MAX+1));
+var_dump(strripos(1024, 1024, -PHP_INT_MAX));
+var_dump(strripos(1024, "te", -PHP_INT_MAX));
+var_dump(strripos(1024, 1024, -PHP_INT_MAX-1));
+var_dump(strripos(1024, "te", -PHP_INT_MAX-1));
+
+echo "Done\n";
+?>
+--EXPECTF--    
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+
+Warning: strripos() expects parameter 1 to be string (Unicode or binary), array given in %s on line %d
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+Done
+--UEXPECTF--
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+
+Warning: strripos() expects parameter 1 to be string (Unicode or binary), array given in %s on line %d
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+Done