From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 24 Mar 2009 16:02:50 +0000 (+0000)
Subject: Fixed "-0" parsing and optimized overflow check (Matt)
X-Git-Tag: php-5.3.0RC2~295
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4658d9408b9614d1e298f3c02bc17ac62f638249;p=php

Fixed "-0" parsing and optimized overflow check (Matt)
---

diff --git a/Zend/zend_hash.h b/Zend/zend_hash.h
index 793f85e865..618da2bfa4 100644
--- a/Zend/zend_hash.h
+++ b/Zend/zend_hash.h
@@ -314,47 +314,29 @@ END_EXTERN_C()
 		const char *end = key + length - 1;									\
 		long idx;															\
 																			\
-		if (*end != '\0') { /* not a null terminated string */				\
+		if ((*end != '\0') /* not a null terminated string */				\
+		 || (*tmp == '0' && length > 2) /* numbers with leading zeros */	\
+		 || (end - tmp > MAX_LENGTH_OF_LONG - 1) /* number too long */		\
+		 || (SIZEOF_LONG == 4 &&											\
+		     end - tmp == MAX_LENGTH_OF_LONG - 1 &&							\
+		     *tmp > '2')) { /* overflow */									\
 			break;															\
-		} else if (*tmp == '0') {											\
-			if (end - tmp != 1) {											\
-				/* don't accept numbers with leading zeros */				\
-				break;														\
-			}																\
-			idx = 0;														\
-		} else if (end - tmp > MAX_LENGTH_OF_LONG - 1) {					\
-			/* don't accept too long strings */								\
-			break;															\
-		} else {															\
-			if (end - tmp == MAX_LENGTH_OF_LONG - 1) {						\
-				end--; /* check overflow in last digit later */				\
-			}																\
-			idx = (*tmp++ - '0');											\
-			while (tmp != end && *tmp >= '0' && *tmp <= '9') {				\
-				idx = (idx * 10) + (*tmp++ - '0');							\
-			}																\
-			if (tmp != end) {												\
-				break;														\
-			}																\
-			if (end != key + length - 1) {									\
-				/* last digit can cause overflow */							\
-				if (*tmp < '0' || *tmp > '9' || idx > LONG_MAX / 10) {		\
-					break;													\
-				}															\
-				idx = (idx * 10) + (*tmp - '0');							\
-				if (*key == '-') {											\
-					idx = -idx;												\
-					if (idx > 0) { /* overflow */							\
-						break;												\
-					}														\
-				} else if (idx < 0) { /* overflow */						\
+		}																	\
+		idx = (*tmp - '0');													\
+		while (++tmp != end && *tmp >= '0' && *tmp <= '9') {				\
+			idx = (idx * 10) + (*tmp - '0');								\
+		}																	\
+		if (tmp == end) {													\
+			if (*key == '-') {												\
+				idx = -idx;													\
+				if (idx > 0) { /* overflow */								\
 					break;													\
 				}															\
-			} else if (*key == '-') {										\
-				idx = -idx;													\
+			} else if (idx < 0) { /* overflow */							\
+				break;														\
 			}																\
+			return func;													\
 		}																	\
-		return func;														\
 	}																		\
 } while (0)