From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 8 Mar 2007 00:18:10 +0000 (+0000)
Subject: Improved length parameter validation
X-Git-Tag: php-5.2.2RC1~195
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8696c9bc89c925a7ee19a4c1e941a5c51ebb82a6;p=php

Improved length parameter validation
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 9c55575bb0..4b39d4904b 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4655,7 +4655,7 @@ PHP_FUNCTION(substr_count)
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be greater than 0.");
 				RETURN_FALSE;		
 			}
-			if ((p + Z_LVAL_PP(length)) > endp) {
+			if ((p + Z_LVAL_PP(length)) <= p || (p + Z_LVAL_PP(length)) > endp) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length value %ld exceeds string length.", Z_LVAL_PP(length));
 				RETURN_FALSE;
 			}