p = haystack + offset;
e = haystack + haystack_len - needle_len;
} else {
- if (-offset > haystack_len) {
+ if (-offset > haystack_len || offset < -INT_MAX) {
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string");
RETURN_FALSE;
}
--- /dev/null
+--TEST--
+strrpos() offset integer overflow
+--FILE--
+<?php
+
+var_dump(strrpos("t", "t", PHP_INT_MAX+1));
+var_dump(strrpos("tttt", "tt", PHP_INT_MAX+1));
+var_dump(strrpos(100, 101, PHP_INT_MAX+1));
+var_dump(strrpos(1024, 1024, PHP_INT_MAX+1));
+var_dump(strrpos(1024, 1024, -PHP_INT_MAX));
+var_dump(strrpos(1024, "te", -PHP_INT_MAX));
+var_dump(strrpos(1024, 1024, -PHP_INT_MAX-1));
+var_dump(strrpos(1024, "te", -PHP_INT_MAX-1));
+
+echo "Done\n";
+?>
+--EXPECTF--
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+Done
projects / php / commitdiff