Fixed possible buffer over run in php_mb_safe_strrchr_ex()

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 47084ccc91ea123fa274f9ed604908513376ec95..199ba03ac13796d90d5d641688109db70e6c3836 100644 (file)
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3459,17 +3459,26 @@ MBSTRING_API char *php_mb_safe_strrchr_ex(const char *s, unsigned int c, size_t
        char *last=NULL;
 
        if (nbytes == (size_t)-1) {
+               size_t nb = 0;
+
                while (*p != '\0') {
-                       if ((unsigned int)*p == c) {
-                               last = (char *)p;
+                       if (nb == 0) {
+                               if ((unsigned char)*p == (unsigned char)c) {
+                                       last = (char *)p;
+                               }
+                               nb = php_mb_mbchar_bytes_ex(p, enc);
+                               if (nb == 0) {
+                                       return NULL; /* something is going wrong! */
+                               }
                        }
-                       p += php_mb_mbchar_bytes_ex(p, enc);
+                       --nb;
+                       ++p;
                }
        } else {
                register size_t bcnt = nbytes;
                register size_t nbytes_char;
                while (bcnt > 0) {
-                       if ((unsigned int)*p == c) {
+                       if ((unsigned char)*p == (unsigned char)c) {
                                last = (char *)p;
                        }
                        nbytes_char = php_mb_mbchar_bytes_ex(p, enc);