From: Antony Dovgal <tony2001@php.net>
Date: Tue, 25 Apr 2006 12:49:04 +0000 (+0000)
Subject: MF51: fix possible substr_compare() crash
X-Git-Tag: BEFORE_NEW_OUTPUT_API~368
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7bde7e87ebf2bec77b1ef22698e6310931637ae3;p=php

MF51: fix possible substr_compare() crash
add new tests
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 9788361e95..475081ff41 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -6814,12 +6814,18 @@ PHP_FUNCTION(substr_compare)
 		RETURN_FALSE;
 	}
 
-	if (offset < 0) { /* negative offset, start comparison at the end of string */
+	if (ZEND_NUM_ARGS() >= 4 && len <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length must be greater than zero");
+		RETURN_FALSE;
+	}
+
+	if (offset < 0) {
 		offset = s1_len + offset;
+		offset = (offset < 0) ? 0 : offset;
 	}
 
 	if ((offset + len) >= s1_len) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length.");
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length");
 		RETURN_FALSE;
 	}
 
diff --git a/ext/standard/tests/strings/bug33605.phpt b/ext/standard/tests/strings/bug33605.phpt
new file mode 100644
index 0000000000..f0c49eb18f
--- /dev/null
+++ b/ext/standard/tests/strings/bug33605.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #33605 (substr_compare crashes)
+--FILE--
+<?php
+$res = substr_compare("aa", "a", -99999999, 0, 0);
+var_dump($res);
+
+?>
+--EXPECTF--
+Warning: substr_compare(): The length must be greater than zero in %s on line %d
+bool(false)
diff --git a/ext/standard/tests/strings/substr_compare.phpt b/ext/standard/tests/strings/substr_compare.phpt
new file mode 100644
index 0000000000..9486c16dd2
--- /dev/null
+++ b/ext/standard/tests/strings/substr_compare.phpt
@@ -0,0 +1,41 @@
+--TEST--
+substr_compare()
+--FUNCTIONS--
+substr_compare
+--FILE--
+<?php
+
+var_dump(substr_compare("abcde", "bc", 1, 2));
+var_dump(substr_compare("abcde", "bcg", 1, 2));
+var_dump(substr_compare("abcde", "BC", 1, 2, true));
+var_dump(substr_compare("abcde", "bc", 1, 3));
+var_dump(substr_compare("abcde", "cd", 1, 2));
+var_dump(substr_compare("abcde", "abc", 5, 1));
+
+var_dump(substr_compare("abcde", -1, 0, NULL, new stdClass));
+echo "Test\n";
+var_dump(substr_compare("abcde", "abc", -1, NULL, -5));
+var_dump(substr_compare("abcde", -1, 0, "str", new stdClass));
+
+echo "Done\n";
+?>
+--EXPECTF--
+int(0)
+int(0)
+int(0)
+int(1)
+int(-1)
+
+Warning: substr_compare(): The start position cannot exceed initial string length in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 5 to be boolean, object given in %s on line %d
+bool(false)
+Test
+
+Warning: substr_compare(): The length must be greater than zero in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 4 to be long, string given in %s on line %d
+bool(false)
+Done