MFH: Fixed possible memory corruption inside mb_strcut().

author Ilia Alshanetsky <iliaa@php.net>

Thu, 15 Dec 2005 03:37:22 +0000 (03:37 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Thu, 15 Dec 2005 03:37:22 +0000 (03:37 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Thu, 15 Dec 2005 03:37:22 +0000 (03:37 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Thu, 15 Dec 2005 03:37:22 +0000 (03:37 +0000)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c

index 8a606ad85da2a076448920706e7e7661b6fbf090..74f44bb39303b7b8086a1810579bbb73232a8d73 100644 (file)
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -2485,6 +2485,13 @@ PHP_FUNCTION(mb_strcut)
                 }
         }
  
+       if (from > Z_STRLEN_PP(arg1)) {
+               RETURN_FALSE;
+       }
+       if (((unsigned) from + (unsigned) len) > Z_STRLEN_PP(arg1)) {
+               len = Z_STRLEN_PP(arg1) - from;
+       }
+
         ret = mbfl_strcut(&string, &result, from, len);
         if (ret != NULL) {
                 RETVAL_STRINGL(ret->val, ret->len, 0);          /* the string is already strdup()'ed */
author	Ilia Alshanetsky <iliaa@php.net>
	Thu, 15 Dec 2005 03:37:22 +0000 (03:37 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Thu, 15 Dec 2005 03:37:22 +0000 (03:37 +0000)