From 8f306fd7490d760f54b75dc4faafd79b87e815f2 Mon Sep 17 00:00:00 2001
From: Jay Smith <jay@php.net>
Date: Thu, 6 May 2004 16:11:50 +0000
Subject: [PATCH] Fixed a segfault. (It's possible for large offsets to make
 strrpos() read past the end of the haystack string...)

---
 ext/standard/string.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 24bfd75c37..9bac292371 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -1614,7 +1614,9 @@ PHP_FUNCTION(strrpos)
 		e = haystack + haystack_len - needle_len;
 	} else {
 		p = haystack;
-		if (needle_len > -offset) {
+		if (-offset > haystack_len) {
+			e = haystack - needle_len;
+		} else if (needle_len > -offset) {
 			e = haystack + haystack_len - needle_len;
 		} else {
 			e = haystack + haystack_len + offset;
@@ -1681,7 +1683,11 @@ PHP_FUNCTION(strripos)
 			e = haystack + haystack_len - 1;
 		} else {
 			p = haystack;
-			e = haystack + haystack_len - offset;
+			if (-offset > haystack_len) {
+				e = haystack + haystack_len - 1;
+			} else {
+				e = haystack + haystack_len + offset;
+			}
 		}
 		/* Borrow that ord_needle buffer to avoid repeatedly tolower()ing needle */
 		*ord_needle = tolower(*needle);
@@ -1704,7 +1710,9 @@ PHP_FUNCTION(strripos)
 		e = haystack_dup + haystack_len - needle_len;
 	} else {
 		p = haystack_dup;
-		if (needle_len > -offset) {
+		if (-offset > haystack_len) {
+			e = haystack_dup - needle_len;
+		} else if (needle_len > -offset) {
 			e = haystack_dup + haystack_len - needle_len;
 		} else {
 			e = haystack_dup + haystack_len + offset;
-- 
2.40.0