From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 15 Dec 2005 03:37:22 +0000 (+0000)
Subject: MFH: Fixed possible memory corruption inside mb_strcut().
X-Git-Tag: php-4.4.2RC2~25
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=861de5ae7ba630a303d473d02c4ec8a37cf3a08f;p=php

MFH: Fixed possible memory corruption inside mb_strcut().
---

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 8a606ad85d..74f44bb393 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -2485,6 +2485,13 @@ PHP_FUNCTION(mb_strcut)
 		}
 	}
 
+	if (from > Z_STRLEN_PP(arg1)) {
+		RETURN_FALSE;
+	}
+	if (((unsigned) from + (unsigned) len) > Z_STRLEN_PP(arg1)) {
+		len = Z_STRLEN_PP(arg1) - from;
+	}
+
 	ret = mbfl_strcut(&string, &result, from, len);
 	if (ret != NULL) {
 		RETVAL_STRINGL(ret->val, ret->len, 0);		/* the string is already strdup()'ed */