Fixed bug #68225 unpack and X format code

This is done by reverting some parts to the state of pre 7, whereby
that means all the size_t potential isn't exhausted. This might be
a subject of the subsequent fix, the functionality can be ensured
with the supplied test.

diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index 4af72c34b805d6043c8482c2831b4f9ed4de9e61..85709bc9f18031bdcb73b4dd22e1a2d9c0d654cd 100644 (file)
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -560,7 +560,7 @@ PHP_FUNCTION(unpack)
 {
        char *format, *input;
        zend_string *formatarg, *inputarg;
-       size_t formatlen, inputpos, inputlen;
+       zend_long formatlen, inputpos, inputlen;
        int i;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "SS", &formatarg, 
@@ -717,7 +717,7 @@ PHP_FUNCTION(unpack)
                                inputpos = 0;
                        }
 
-                       if ((size >=0 && (inputpos + size) <= inputlen) || (size < 0 && -size <= (inputlen - inputpos))) {
+                       if ((inputpos + size) <= inputlen) {
                                switch ((int) type) {
                                        case 'a': {
                                                /* a will not strip any trailing whitespace or null padding */

diff --git a/ext/standard/tests/strings/unpack_bug68225.phpt b/ext/standard/tests/strings/unpack_bug68225.phpt
new file mode 100644 (file)
index 0000000..7f8cdd4
--- /dev/null
+++ b/ext/standard/tests/strings/unpack_bug68225.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #68225 unpack and X format code
+--FILE--
+<?php
+
+$data = pack('VV', 1, 2);
+
+$result = unpack('Va/X' ,$data);
+var_dump($result);
+
+$result = unpack('Va/X4' ,$data);
+var_dump($result);
+
+$result = unpack('V1a/X4/V1b/V1c/X4/V1d', $data);
+var_dump($result);
+
+?>
+===DONE===
+--EXPECTF--
+array(1) {
+  ["a"]=>
+  int(1)
+}
+array(1) {
+  ["a"]=>
+  int(1)
+}
+array(4) {
+  ["a"]=>
+  int(1)
+  ["b"]=>
+  int(1)
+  ["c"]=>
+  int(2)
+  ["d"]=>
+  int(2)
+}
+===DONE===
+