From: Pierrick Charron Date: Thu, 21 Apr 2011 01:51:24 +0000 (+0000) Subject: Revert bug #54454 fix from PHP_5_3 branch to avoid BC break in minor release X-Git-Tag: php-5.3.7RC1~173 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1153eaf505679328394f902827a6c67a73b1512a;p=php Revert bug #54454 fix from PHP_5_3 branch to avoid BC break in minor release --- diff --git a/NEWS b/NEWS index 4c2b338248..ed3e8578b9 100644 --- a/NEWS +++ b/NEWS @@ -18,8 +18,6 @@ PHP NEWS . Implemented FR #54459 (Range function accuracy). (Adam) . Added PHP_MANDIR constant telling where the manpages were installed into, and an --man-dir argument to php-config. (Hannes) - . Fixed bug #54454 (substr_compare incorrectly reports equality in some - cases). (Pierrick) . Fixed bug #54238 (use-after-free in substr_replace()). (Stas) (CVE-2011-1148) . Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragment). diff --git a/ext/standard/string.c b/ext/standard/string.c index a8b87e94f3..ec3a5b28c6 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -5278,6 +5278,10 @@ PHP_FUNCTION(substr_compare) RETURN_FALSE; } + if (len > s1_len - offset) { + len = s1_len - offset; + } + cmp_len = (uint) (len ? len : MAX(s2_len, (s1_len - offset))); if (!cs) { diff --git a/ext/standard/tests/strings/bug54454.phpt b/ext/standard/tests/strings/bug54454.phpt deleted file mode 100644 index 88835c983b..0000000000 --- a/ext/standard/tests/strings/bug54454.phpt +++ /dev/null @@ -1,8 +0,0 @@ ---TEST-- -Bug #54454 (substr_compare incorrectly reports equality in some cases) ---FILE-- - ---EXPECT-- -int(-3) diff --git a/ext/standard/tests/strings/substr_compare.phpt b/ext/standard/tests/strings/substr_compare.phpt index c647506b53..206ccd5ede 100644 --- a/ext/standard/tests/strings/substr_compare.phpt +++ b/ext/standard/tests/strings/substr_compare.phpt @@ -27,7 +27,7 @@ int(-1) Warning: substr_compare(): The start position cannot exceed initial string length in %s on line %d bool(false) -int(-1) +int(0) Warning: substr_compare() expects parameter 5 to be boolean, object given in %s on line %d bool(false)