From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 28 Nov 2017 22:10:50 +0000 (+0100)
Subject: Fixed bug #75575
X-Git-Tag: php-7.3.0alpha1~923
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5dc6392d257fa8a4c3a8938e9e0e36ae44a6834e;p=php

Fixed bug #75575

These functions are never called with needle longer than haystack,
but it makes sense to explicitly check for this, especially as we
already perform a check for empty haystack anyway, which is
naturally subsumed by a haystack_len < needle_len check.
---

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 540f97943e..cad8d1dff4 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -3049,7 +3049,7 @@ ZEND_API const char* ZEND_FASTCALL zend_memnstr_ex(const char *haystack, const c
 	register size_t i;
 	register const char *p;
 
-	if (needle_len == 0 || (end - haystack) == 0) {
+	if (needle_len == 0 || (end - haystack) < needle_len) {
 		return NULL;
 	}
 
@@ -3083,7 +3083,7 @@ ZEND_API const char* ZEND_FASTCALL zend_memnrstr_ex(const char *haystack, const
 	register size_t i;
 	register const char *p;
 
-	if (needle_len == 0 || (end - haystack) == 0) {
+	if (needle_len == 0 || (end - haystack) < needle_len) {
 		return NULL;
 	}