From: Andrey Hristov <andrey@php.net>
Date: Sun, 11 Jul 2004 21:24:47 +0000 (+0000)
Subject: MFH:
X-Git-Tag: php-4.3.9RC1~52
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9947c89d6e0d3354fb387c06ff3d1fd78a5ab96f;p=php

MFH:
fixed bug #28974 : overflow in array_slice()
The same kind of overflow appeared in array_splice(), substr() and
substr_replace()
---

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 502b1baa35..c293f92d6d 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1583,7 +1583,7 @@ HashTable* php_splice(HashTable *in_hash, int offset, int length,
 	/* ..and the length */
 	if (length < 0) {
 		length = num_in-offset+length;
-	} else if (offset+length > num_in) {
+	} else if (((unsigned) offset + (unsigned) length) > num_in) {
 		length = num_in-offset;
 	}
 
@@ -1960,7 +1960,7 @@ PHP_FUNCTION(array_slice)
 	/* ..and the length */
 	if (length_val < 0) {
 		length_val = num_in-offset_val+length_val;
-	} else if (offset_val+length_val > num_in) {
+	} else if (((unsigned) offset_val + (unsigned)length_val) > num_in) {
 		length_val = num_in-offset_val;
 	}
 	
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 25d061a107..2a243214b0 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -234,7 +234,7 @@ static void php_spn_common_handler(INTERNAL_FUNCTION_PARAMETERS, int behavior)
 		}
 	}
 	
-	if ((start + len) > len1) {
+	if (((unsigned) start + (unsigned) len) > len1) {
 		len = len1 - start;
 	}
 
@@ -1636,7 +1636,7 @@ PHP_FUNCTION(substr)
 		RETURN_FALSE;
 	}
 
-	if ((f + l) > Z_STRLEN_PP(str)) {
+	if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(str)) {
 		l = Z_STRLEN_PP(str) - f;
 	}
 
@@ -1698,7 +1698,7 @@ PHP_FUNCTION(substr_replace)
 		}
 	}
 
-	if ((f + l) > Z_STRLEN_PP(str)) {
+	if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(str)) {
 		l = Z_STRLEN_PP(str) - f;
 	}