From: Zeev Suraski <zeev@php.net>
Date: Mon, 5 Feb 2001 22:27:47 +0000 (+0000)
Subject: Fix string offset data corruption
X-Git-Tag: php-4.0.5RC1~353
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c3531b375005d7d618c8101f6f4810f5abee29d4;p=php

Fix string offset data corruption
---

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index bfebe66524..03bb80c18b 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -98,6 +98,7 @@ static inline zval *_get_zval_ptr(znode *node, temp_variable *Ts, int *should_fr
 							zval *str = T->EA.data.str_offset.str;
 
 							if (T->EA.data.str_offset.str->type != IS_STRING
+								|| (T->EA.data.str_offset.offset<0)
 								|| (T->EA.data.str_offset.str->value.str.len <= T->EA.data.str_offset.offset)) {
 								T->tmp_var.value.str.val = empty_string;
 								T->tmp_var.value.str.len = 0;
@@ -263,6 +264,7 @@ static inline void zend_assign_to_variable(znode *result, znode *op1, znode *op2
 					temp_variable *T = &Ts[op1->u.var];
 
 					if (T->EA.data.str_offset.str->type == IS_STRING
+						&& (T->EA.data.str_offset.offset >= 0)
 						&& (T->EA.data.str_offset.offset < T->EA.data.str_offset.str->value.str.len)) {
 						zval tmp;
 						zval *final_value = value;