Fixed bug #75575

These functions are never called with needle longer than haystack,
but it makes sense to explicitly check for this, especially as we
already perform a check for empty haystack anyway, which is
naturally subsumed by a haystack_len < needle_len check.

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 540f97943e3b7e49453ef5cba95424bf3f1212a5..cad8d1dff4e773aa302fdd35a93e542b548f4bbe 100644 (file)
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -3049,7 +3049,7 @@ ZEND_API const char* ZEND_FASTCALL zend_memnstr_ex(const char *haystack, const c
        register size_t i;
        register const char *p;
 
-       if (needle_len == 0 || (end - haystack) == 0) {
+       if (needle_len == 0 || (end - haystack) < needle_len) {
                return NULL;
        }
 
@@ -3083,7 +3083,7 @@ ZEND_API const char* ZEND_FASTCALL zend_memnrstr_ex(const char *haystack, const
        register size_t i;
        register const char *p;
 
-       if (needle_len == 0 || (end - haystack) == 0) {
+       if (needle_len == 0 || (end - haystack) < needle_len) {
                return NULL;
        }