From a1f6c395cf8d71c6ea5cf2ddb8bf37b7d77b6b89 Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Fri, 24 Nov 2006 21:57:31 +0000
Subject: [PATCH] fix #39621 (str_replace() is not binary safe on strings with
 equal length)

---
 ext/standard/string.c                    |  33 +++++++++++++++++------
 ext/standard/tests/strings/bug39621.phpt | Bin 0 -> 984 bytes
 2 files changed, 25 insertions(+), 8 deletions(-)
 create mode 100644 ext/standard/tests/strings/bug39621.phpt

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 6c2ac0e9a4..6f2c18ac2c 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5150,16 +5150,33 @@ nothing_todo:
 		new_str = estrndup(haystack, length);
 		return new_str;
 	} else {
-		if (case_sensitivity ? strncmp(haystack, needle, length) : strncasecmp(haystack, needle, length)) {
+		if (case_sensitivity && memcmp(haystack, needle, length)) {
 			goto nothing_todo;
-		} else {
-			*_new_length = str_len;
-			new_str = estrndup(str, str_len);
-			if (replace_count) {
-				(*replace_count)++;
+		} else if (!case_sensitivity) {
+			char *l_haystack, *l_needle;
+
+			l_haystack = estrndup(haystack, length);
+			l_needle = estrndup(needle, length);
+
+			php_strtolower(l_haystack, length);
+			php_strtolower(l_needle, length);
+
+			if (memcmp(l_haystack, l_needle, length)) {
+				efree(l_haystack);
+				efree(l_needle);
+				goto nothing_todo;
 			}
-			return new_str;
+			efree(l_haystack);
+			efree(l_needle);
+		}
+
+		*_new_length = str_len;
+		new_str = estrndup(str, str_len);
+
+		if (replace_count) {
+			(*replace_count)++;
 		}
+		return new_str;
 	}
 
 }
@@ -5253,7 +5270,7 @@ nothing_todo:
 		new_str = eustrndup(haystack, length);
 		return new_str;
 	} else {
-		if (u_strncmp(haystack, needle, length)) {
+		if (u_memcmp(haystack, needle, length)) {
 			goto nothing_todo;
 		} else {
 			*_new_length = repl_len;
diff --git a/ext/standard/tests/strings/bug39621.phpt b/ext/standard/tests/strings/bug39621.phpt
new file mode 100644
index 0000000000000000000000000000000000000000..e9c4a3ff6fd755255519d4d13ffa64f0bcb2a723
GIT binary patch
literal 984
zcmd5)O-sZu5cO()#ZW!8V8C@j6h9W!E(ji6tdPUPlI_MeQq!+QyZ_##O-hR%7S@B)
zOL=c*-pkBj9EC3t#^_EZa5TL<KbwGG%W74zBBL?$1K>4?T*8_QT5X}GZwzt)I){s-
zhA%EtV5OoNWK1M74G_lj$EQ&Dyq*<lfzWZyXceb$1K^cS(=1O*8{U;B)%u;qQnQxS
z8EqKSx-cXaTac`g8a8;XGE+0K3O-n+6L5w4&-D*<-6yS98}(86wt>Nh?iPfQzjnvn
z8}_%?4R1If_qhKsypovJHl+QUAFCyXw6XJQ_Z%LJ(;U2qT(G6knzLJdn<04)@1r@!
yhp4+@e=-fa+dJs}?Lb}VqW&gb{ungETJg1)L`v{D->_dLcj3nUUBwt}RlfoG(mxmg

literal 0
HcmV?d00001

-- 
2.50.1