fix #36944 (strncmp & strncasecmp do not return false on negative string length)

diff --git a/NEWS b/NEWS
index 6f23dd21777f3417a89249d11d0050b7c478fa94..e81aadccb52341571c7ed42577a17e726923b384 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
 - Fixed debug_zval_dump() to support private and protected members. (Dmitry)
 - Fixed SoapFault::getMessage(). (Dmitry)
 - Fixed bug #36957 (serialize() does not handle recursion). (Ilia)
+- Fixed bug #36944 (strncmp & strncasecmp do not return false on negative 
+  string length). (Tony)
 - Fixed bug #36941 (ArrayIterator does not clone itself). (Marcus)
 - Fixed bug #36898 (__set() leaks in classes extending internal ones). 
   (Tony, Dmitry)

diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index 07e5bf6ad13972d8f68d9608c08a74072704becd..f4a432d0281de94ecfa8f1fddf7ad6d9a464f451 100644 (file)
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -314,6 +314,12 @@ ZEND_FUNCTION(strncmp)
        convert_to_string_ex(s1);
        convert_to_string_ex(s2);
        convert_to_long_ex(s3);
+
+       if (Z_LVAL_PP(s3) < 0) {
+               zend_error(E_WARNING, "Length must be greater than or equal to 0");
+               RETURN_FALSE;
+       }
+       
        RETURN_LONG(zend_binary_zval_strncmp(*s1, *s2, *s3));
 }
 /* }}} */
@@ -347,6 +353,12 @@ ZEND_FUNCTION(strncasecmp)
        convert_to_string_ex(s1);
        convert_to_string_ex(s2);
        convert_to_long_ex(s3);
+
+       if (Z_LVAL_PP(s3) < 0) {
+               zend_error(E_WARNING, "Length must be greater than or equal to 0");
+               RETURN_FALSE;
+       }
+
        RETURN_LONG(zend_binary_zval_strncasecmp(*s1, *s2, *s3));
 }
 /* }}} */