MFH: fix segfault in strripos() when offset == INT_MAX+1

identified and repoted by Joxean Koret

diff --git a/NEWS b/NEWS
index 8489254b45d2246c9ec5f5427ab11954a2227ef9..ff89ee81692de4907fa5dcc84eee8e62839d992f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@ PHP                                                                        NEWS
   (Ilia)
 - Fixed altering $this via argument named "this". (Dmitry)
 - Fixed PHP CLI to use the php.ini from the binary location. (Hannes)
+- Fixed segfault in strripos(). (Tony, Joxean Koret)
 - Fixed bug #41347 (checkdnsrr() segfaults on empty hostname). (Scott)
 - Fixed bug #41337 (WSDL parsing doesn't ignore non soap bindings). (Dmitry)
 - Fixed bug #41326 (Writing empty tags with Xmlwriter::WriteElement[ns])

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 98daf7ae9cb79bd190fe189cf8bcf314c48fc1e3..56981b077866602c9a1521fcda207e9fe500d7b0 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -1856,7 +1856,7 @@ PHP_FUNCTION(strripos)
                        e = haystack + haystack_len - 1;
                } else {
                        p = haystack;
-                       if (-offset > haystack_len) {
+                       if (-offset > haystack_len || -offset < 0) {
                                php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string");
                                RETURN_FALSE;
                        } else {
@@ -1889,7 +1889,7 @@ PHP_FUNCTION(strripos)
                p = haystack_dup + offset;
                e = haystack_dup + haystack_len - needle_len;
        } else {
-               if (-offset > haystack_len) {
+               if (-offset > haystack_len || -offset < 0) {
                        efree(needle_dup);
                        efree(haystack_dup);
                        php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string");

diff --git a/ext/standard/tests/strings/strripos_offset.phpt b/ext/standard/tests/strings/strripos_offset.phpt
new file mode 100644 (file)
index 0000000..daa917e
--- /dev/null
+++ b/ext/standard/tests/strings/strripos_offset.phpt
@@ -0,0 +1,45 @@
+--TEST--
+strripos() offset integer overflow
+--FILE--
+<?php
+
+var_dump(strripos("t", "t", PHP_INT_MAX+1));
+var_dump(strripos("tttt", "tt", PHP_INT_MAX+1));
+var_dump(strripos(100, 101, PHP_INT_MAX+1));
+var_dump(strripos(1024, 1024, PHP_INT_MAX+1));
+var_dump(strripos(array(), array(), PHP_INT_MAX+1));
+var_dump(strripos(1024, 1024, -PHP_INT_MAX));
+var_dump(strripos(1024, "te", -PHP_INT_MAX));
+var_dump(strripos(1024, 1024, -PHP_INT_MAX-1));
+var_dump(strripos(1024, "te", -PHP_INT_MAX-1));
+
+echo "Done\n";
+?>
+--EXPECTF--    
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Warning: strripos() expects parameter 1 to be string, array given in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+Done