Fixed segfault (op2 maybe equal to result)

author Xinchen Hui <laruence@gmail.com>

Wed, 5 Mar 2014 07:42:57 +0000 (15:42 +0800)

committer Xinchen Hui <laruence@gmail.com>

Wed, 5 Mar 2014 07:43:57 +0000 (15:43 +0800)
author Xinchen Hui <laruence@gmail.com>
Wed, 5 Mar 2014 07:42:57 +0000 (15:42 +0800)
committer Xinchen Hui <laruence@gmail.com>
Wed, 5 Mar 2014 07:43:57 +0000 (15:43 +0800)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c

index 2c3d657d0be35bc22c8e41ddf5a93390b1a9ae2d..5e9ad6a17db353f484d1329387faaeef575a8d8b 100644 (file)
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1389,16 +1389,17 @@ ZEND_API int concat_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{
         }
         if (result==op1 && !IS_INTERNED(Z_STR_P(op1))) {        /* special case, perform operations on result */
                 uint op1_len = Z_STRLEN_P(op1);
-               uint res_len = op1_len + Z_STRLEN_P(op2);
+               uint op2_len = Z_STRLEN_P(op2);
+               uint res_len = op1_len + op2_len;
  
-               if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) + Z_STRLEN_P(op2)) < 0) {
+               if (Z_STRLEN_P(result) < 0 || (int) (op1_len + op2_len) < 0) {
                         ZVAL_EMPTY_STRING(result);
                         zend_error(E_ERROR, "String size overflow");
                 }
  
                 Z_STR_P(result) = STR_REALLOC(Z_STR_P(result), res_len, 0 );
  
-               memcpy(Z_STRVAL_P(result) + op1_len, Z_STRVAL_P(op2), Z_STRLEN_P(op2));
+               memcpy(Z_STRVAL_P(result) + op1_len, Z_STRVAL_P(op2), op2_len);
                 Z_STRVAL_P(result)[res_len]=0;
         } else {
                 int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
author	Xinchen Hui <laruence@gmail.com>
	Wed, 5 Mar 2014 07:42:57 +0000 (15:42 +0800)
committer	Xinchen Hui <laruence@gmail.com>
	Wed, 5 Mar 2014 07:43:57 +0000 (15:43 +0800)