From: Antony Dovgal <tony2001@php.net>
Date: Fri, 19 May 2006 10:20:44 +0000 (+0000)
Subject: fix invalid read in basename("/.gz", ".gz")
X-Git-Tag: php-4.4.3RC1~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5df81174c6853c537a58d2383747edff9c3bb881;p=php

fix invalid read in basename("/.gz", ".gz")
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index cd7b6b1f2b..e172194634 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -1063,12 +1063,14 @@ PHP_FUNCTION(strtolower)
 PHPAPI char *php_basename(char *s, size_t len, char *suffix, size_t sufflen)
 {
 	char *ret=NULL, *c, *p=NULL, buf='\0', *p2=NULL, buf2='\0';
+	int cnt = len;
 	c = s + len - 1;	
 
 	/* do suffix removal as the unix command does */
 	if (suffix && (len > sufflen)) {
 		if (!strncmp(suffix, c-sufflen+1, sufflen)) {
-			c -= sufflen; 
+			c -= sufflen;
+			cnt -= sufflen;
 			buf2 = *(c + 1); /* Save overwritten char */
 			*(c + 1) = '\0'; /* overwrite char */
 			p2 = c + 1;      /* Save pointer to overwritten char */
@@ -1077,12 +1079,15 @@ PHPAPI char *php_basename(char *s, size_t len, char *suffix, size_t sufflen)
 
 
 	/* strip trailing slashes */
-	while (*c == '/'
+	while (cnt > 0 && (*c == '/'
 #ifdef PHP_WIN32
 		   || (*c == '\\' && !IsDBCSLeadByte(*(c-1)))
 #endif
-		)
+		   )) {
 		c--;
+		cnt--;
+	}
+
 	if (c+1 >= s && c < s+len-1) {
 		buf = *(c + 1);  /* Save overwritten char */
 		*(c + 1) = '\0'; /* overwrite char */