From e40416ebf6cbc977da6bbd453d4e58dc2723fda2 Mon Sep 17 00:00:00 2001
From: Moriyoshi Koizumi <moriyoshi@php.net>
Date: Thu, 14 Nov 2002 21:33:36 +0000
Subject: [PATCH] Fixed possible buffer over run in php_mb_safe_strrchr_ex()

---
 ext/mbstring/mbstring.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 47084ccc91..199ba03ac1 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3459,17 +3459,26 @@ MBSTRING_API char *php_mb_safe_strrchr_ex(const char *s, unsigned int c, size_t
 	char *last=NULL;
 
 	if (nbytes == (size_t)-1) {
+		size_t nb = 0;
+
 		while (*p != '\0') {
-			if ((unsigned int)*p == c) {
-				last = (char *)p;
+			if (nb == 0) {
+				if ((unsigned char)*p == (unsigned char)c) {
+					last = (char *)p;
+				}
+				nb = php_mb_mbchar_bytes_ex(p, enc);
+				if (nb == 0) {
+					return NULL; /* something is going wrong! */
+				}
 			}
-			p += php_mb_mbchar_bytes_ex(p, enc);
+			--nb;
+			++p;
 		}
 	} else {
 		register size_t bcnt = nbytes;
 		register size_t nbytes_char;
 		while (bcnt > 0) {
-			if ((unsigned int)*p == c) {
+			if ((unsigned char)*p == (unsigned char)c) {
 				last = (char *)p;
 			}
 			nbytes_char = php_mb_mbchar_bytes_ex(p, enc);
-- 
2.40.0