Fixed a segfault. (It's possible for large offsets to make strrpos()

read past the end of the haystack string...)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 24bfd75c37bb0fd047a2aa64dfbfd8ce84796b36..9bac29237199651ce55b798f28c897ab016c0ad8 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -1614,7 +1614,9 @@ PHP_FUNCTION(strrpos)
                e = haystack + haystack_len - needle_len;
        } else {
                p = haystack;
-               if (needle_len > -offset) {
+               if (-offset > haystack_len) {
+                       e = haystack - needle_len;
+               } else if (needle_len > -offset) {
                        e = haystack + haystack_len - needle_len;
                } else {
                        e = haystack + haystack_len + offset;
@@ -1681,7 +1683,11 @@ PHP_FUNCTION(strripos)
                        e = haystack + haystack_len - 1;
                } else {
                        p = haystack;
-                       e = haystack + haystack_len - offset;
+                       if (-offset > haystack_len) {
+                               e = haystack + haystack_len - 1;
+                       } else {
+                               e = haystack + haystack_len + offset;
+                       }
                }
                /* Borrow that ord_needle buffer to avoid repeatedly tolower()ing needle */
                *ord_needle = tolower(*needle);
@@ -1704,7 +1710,9 @@ PHP_FUNCTION(strripos)
                e = haystack_dup + haystack_len - needle_len;
        } else {
                p = haystack_dup;
-               if (needle_len > -offset) {
+               if (-offset > haystack_len) {
+                       e = haystack_dup - needle_len;
+               } else if (needle_len > -offset) {
                        e = haystack_dup + haystack_len - needle_len;
                } else {
                        e = haystack_dup + haystack_len + offset;