Fixed possible memory corruption inside mb_strcut().

author Ilia Alshanetsky <iliaa@php.net>

Thu, 15 Dec 2005 03:36:53 +0000 (03:36 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Thu, 15 Dec 2005 03:36:53 +0000 (03:36 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Thu, 15 Dec 2005 03:36:53 +0000 (03:36 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Thu, 15 Dec 2005 03:36:53 +0000 (03:36 +0000)
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c

index 1f7a1c98ca6cd5278d1244f82f8e8927b52cc4a6..7e665c37d4fc016dbc2f3a898096920ff4ba6489 100644 (file)
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -1844,6 +1844,13 @@ PHP_FUNCTION(mb_strcut)
                 }
         }
  
+       if (from > Z_STRLEN_PP(arg1)) {
+               RETURN_FALSE;
+       }
+       if (((unsigned) from + (unsigned) len) > Z_STRLEN_PP(arg1)) {
+               len = Z_STRLEN_PP(arg1) - from;
+       }
+
         ret = mbfl_strcut(&string, &result, from, len);
         if (ret != NULL) {
                 RETVAL_STRINGL(ret->val, ret->len, 0);          /* the string is already strdup()'ed */
author	Ilia Alshanetsky <iliaa@php.net>
	Thu, 15 Dec 2005 03:36:53 +0000 (03:36 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Thu, 15 Dec 2005 03:36:53 +0000 (03:36 +0000)