From 896a5216d73d35e5eb68e73ac4e363c40fc90995 Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Tue, 25 Apr 2006 12:48:42 +0000
Subject: [PATCH] fix possible substr_compare() crash add new tests

---
 ext/standard/string.c                         | 10 ++++-
 ext/standard/tests/strings/bug33605.phpt      | 11 +++++
 .../tests/strings/substr_compare.phpt         | 41 +++++++++++++++++++
 3 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/strings/bug33605.phpt
 create mode 100644 ext/standard/tests/strings/substr_compare.phpt

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 21936dee5b..c923e84ab0 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4884,13 +4884,19 @@ PHP_FUNCTION(substr_compare)
 		RETURN_FALSE;
 	}
 
-	if ((offset + len) >= s1_len) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length.");
+	if (ZEND_NUM_ARGS() >= 4 && len <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length must be greater than zero");
 		RETURN_FALSE;
 	}
 
 	if (offset < 0) {
 		offset = s1_len + offset;
+		offset = (offset < 0) ? 0 : offset;
+	}
+
+	if ((offset + len) >= s1_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length");
+		RETURN_FALSE;
 	}
 
 	cmp_len = (uint) (len ? len : MAX(s2_len, (s1_len - offset)));
diff --git a/ext/standard/tests/strings/bug33605.phpt b/ext/standard/tests/strings/bug33605.phpt
new file mode 100644
index 0000000000..f0c49eb18f
--- /dev/null
+++ b/ext/standard/tests/strings/bug33605.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #33605 (substr_compare crashes)
+--FILE--
+<?php
+$res = substr_compare("aa", "a", -99999999, 0, 0);
+var_dump($res);
+
+?>
+--EXPECTF--
+Warning: substr_compare(): The length must be greater than zero in %s on line %d
+bool(false)
diff --git a/ext/standard/tests/strings/substr_compare.phpt b/ext/standard/tests/strings/substr_compare.phpt
new file mode 100644
index 0000000000..9486c16dd2
--- /dev/null
+++ b/ext/standard/tests/strings/substr_compare.phpt
@@ -0,0 +1,41 @@
+--TEST--
+substr_compare()
+--FUNCTIONS--
+substr_compare
+--FILE--
+<?php
+
+var_dump(substr_compare("abcde", "bc", 1, 2));
+var_dump(substr_compare("abcde", "bcg", 1, 2));
+var_dump(substr_compare("abcde", "BC", 1, 2, true));
+var_dump(substr_compare("abcde", "bc", 1, 3));
+var_dump(substr_compare("abcde", "cd", 1, 2));
+var_dump(substr_compare("abcde", "abc", 5, 1));
+
+var_dump(substr_compare("abcde", -1, 0, NULL, new stdClass));
+echo "Test\n";
+var_dump(substr_compare("abcde", "abc", -1, NULL, -5));
+var_dump(substr_compare("abcde", -1, 0, "str", new stdClass));
+
+echo "Done\n";
+?>
+--EXPECTF--
+int(0)
+int(0)
+int(0)
+int(1)
+int(-1)
+
+Warning: substr_compare(): The start position cannot exceed initial string length in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 5 to be boolean, object given in %s on line %d
+bool(false)
+Test
+
+Warning: substr_compare(): The length must be greater than zero in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 4 to be long, string given in %s on line %d
+bool(false)
+Done
-- 
2.50.1