From: Antony Dovgal <tony2001@php.net>
Date: Thu, 10 May 2007 22:08:35 +0000 (+0000)
Subject: fix segfault in strripos() when offset == INT_MAX+1
X-Git-Tag: RELEASE_1_2_0~109
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=483c3034bcf2d989c8c01761c68d094e0362840b;p=php

fix segfault in strripos() when offset == INT_MAX+1
identified and repoted by Joxean Koret
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 7f9d15b4e5..f3f2210cf2 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2915,7 +2915,7 @@ PHP_FUNCTION(strripos)
 			u_e = haystack.u + haystack_len - needle_len;
 		} else {
 			u_p = haystack.u;
-			if (-offset > haystack_len) {
+			if (-offset > haystack_len || -offset < 0) {
 				RETURN_FALSE;
 			} else {
 				cu_offset = haystack_len;
@@ -2953,7 +2953,7 @@ PHP_FUNCTION(strripos)
 				e = haystack.s + haystack_len - 1;
 			} else {
 				p = haystack.s;
-				if (-offset > haystack_len) {
+				if (-offset > haystack_len || -offset < 0) {
 					RETURN_FALSE;
 				} else {
 					e = haystack.s + haystack_len + offset;
@@ -2984,7 +2984,7 @@ PHP_FUNCTION(strripos)
 			p = haystack_dup + offset;
 			e = haystack_dup + haystack_len - needle_len;
 		} else {
-			if (-offset > haystack_len) {
+			if (-offset > haystack_len || -offset < 0) {
 				efree(haystack_dup);
 				efree(needle_dup);
 				RETURN_FALSE;
diff --git a/ext/standard/tests/strings/strripos_offset.phpt b/ext/standard/tests/strings/strripos_offset.phpt
new file mode 100644
index 0000000000..0dd22cba7e
--- /dev/null
+++ b/ext/standard/tests/strings/strripos_offset.phpt
@@ -0,0 +1,43 @@
+--TEST--
+strripos() offset integer overflow
+--FILE--
+<?php
+
+var_dump(strripos("t", "t", PHP_INT_MAX+1));
+var_dump(strripos("tttt", "tt", PHP_INT_MAX+1));
+var_dump(strripos(100, 101, PHP_INT_MAX+1));
+var_dump(strripos(1024, 1024, PHP_INT_MAX+1));
+var_dump(strripos(array(), array(), PHP_INT_MAX+1));
+var_dump(strripos(1024, 1024, -PHP_INT_MAX));
+var_dump(strripos(1024, "te", -PHP_INT_MAX));
+var_dump(strripos(1024, 1024, -PHP_INT_MAX-1));
+var_dump(strripos(1024, "te", -PHP_INT_MAX-1));
+
+echo "Done\n";
+?>
+--EXPECTF--	
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+
+Warning: strripos() expects parameter 1 to be string (Unicode or binary), array given in %s on line %d
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+Done
+--UEXPECTF--
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+
+Warning: strripos() expects parameter 1 to be string (Unicode or binary), array given in %s on line %d
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+Done