]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0fb6cde)
MFH:
authorAndrey Hristov <andrey@php.net>
Sun, 11 Jul 2004 21:24:47 +0000 (21:24 +0000)
committerAndrey Hristov <andrey@php.net>
Sun, 11 Jul 2004 21:24:47 +0000 (21:24 +0000)
fixed bug #28974 : overflow in array_slice()
The same kind of overflow appeared in array_splice(), substr() and
substr_replace()

ext/standard/array.c patch | blob | history
ext/standard/string.c patch | blob | history

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 502b1baa35ac465e979c7da227084ec0e635d7f2..c293f92d6d8c4a7e220ea3f0515b1471fc9ed190 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1583,7 +1583,7 @@ HashTable* php_splice(HashTable *in_hash, int offset, int length,
        /* ..and the length */
        if (length < 0) {
                length = num_in-offset+length;
-       } else if (offset+length > num_in) {
+       } else if (((unsigned) offset + (unsigned) length) > num_in) {
                length = num_in-offset;
        }
 
@@ -1960,7 +1960,7 @@ PHP_FUNCTION(array_slice)
        /* ..and the length */
        if (length_val < 0) {
                length_val = num_in-offset_val+length_val;
-       } else if (offset_val+length_val > num_in) {
+       } else if (((unsigned) offset_val + (unsigned)length_val) > num_in) {
                length_val = num_in-offset_val;
        }
        
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 25d061a107d5403d624c2a830834c4cf5a3a15c5..2a243214b00476e5e42bdba7b112f70d6283812c 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -234,7 +234,7 @@ static void php_spn_common_handler(INTERNAL_FUNCTION_PARAMETERS, int behavior)
                }
        }
        
-       if ((start + len) > len1) {
+       if (((unsigned) start + (unsigned) len) > len1) {
                len = len1 - start;
        }
 
@@ -1636,7 +1636,7 @@ PHP_FUNCTION(substr)
                RETURN_FALSE;
        }
 
-       if ((f + l) > Z_STRLEN_PP(str)) {
+       if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(str)) {
                l = Z_STRLEN_PP(str) - f;
        }
 
@@ -1698,7 +1698,7 @@ PHP_FUNCTION(substr_replace)
                }
        }
 
-       if ((f + l) > Z_STRLEN_PP(str)) {
+       if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(str)) {
                l = Z_STRLEN_PP(str) - f;
        }
 
Unnamed repository; edit this file 'description' to name the repository.