From: Nikita Popov <nikic@php.net>
Date: Sat, 20 Aug 2016 17:00:03 +0000 (+0200)
Subject: Fix off-by-one in ReflectionType::__toString()
X-Git-Tag: php-7.1.0RC1~91
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dfed09afcaed6773f00b366b0580a187f2fc453f;p=php

Fix off-by-one in ReflectionType::__toString()

Review mistake...
---

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index df15efd077..66ffeab196 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3040,14 +3040,16 @@ ZEND_METHOD(reflection_type, __toString)
 	if (param->arg_info->type_hint == IS_OBJECT
 		&& !zend_string_equals_literal_ci(param->arg_info->class_name, "self")
 		&& !zend_string_equals_literal_ci(param->arg_info->class_name, "parent")) {
-		str = zend_string_extend(str, ZSTR_LEN(str) + 1, 0);
-		memmove(ZSTR_VAL(str) + 1, ZSTR_VAL(str), ZSTR_LEN(str) + 1);
+		size_t orig_len = ZSTR_LEN(str);
+		str = zend_string_extend(str, orig_len + 1, 0);
+		memmove(ZSTR_VAL(str) + 1, ZSTR_VAL(str), orig_len + 1);
 		ZSTR_VAL(str)[0] = '\\';
 	}
 	
 	if (param->arg_info->allow_null) {
-		str = zend_string_extend(str, ZSTR_LEN(str) + 1, 0);
-		memmove(ZSTR_VAL(str) + 1, ZSTR_VAL(str), ZSTR_LEN(str) + 1);
+		size_t orig_len = ZSTR_LEN(str);
+		str = zend_string_extend(str, orig_len + 1, 0);
+		memmove(ZSTR_VAL(str) + 1, ZSTR_VAL(str), orig_len + 1);
 		ZSTR_VAL(str)[0] = '?';
 	}