archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #77367: Negative size parameter in mb_split

Browse source 
When adding the last element to the result value of `mb_split`, the
`chunk_pos` may point beyond the end of the string, in which case the
unsigned `n` would underflow.  Therefore, we check whether this is the
case in the first place, and only calculate `n` otherwise.  Since `n`
is no longer used outside the block, we move its declaration inside.
This commit is contained in:
Christoph M. Becker 2018-12-29 14:17:23 +01:00 committed by Stanislav Malyshev
parent e40027ef0f
commit e617f03066
2 changed files with 23 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ext/mbstring/php_mbregex.c
View file

@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split)
size_t string_len;
int err;
size_t n;
zend_long count = -1;
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split)
}
/* otherwise we just have one last element to add to the array */
n = ((OnigUChar *)(string + string_len) - chunk_pos);
if (n > 0) {
if ((OnigUChar *)(string + string_len) > chunk_pos) {
size_t n = ((OnigUChar *)(string + string_len) - chunk_pos);
add_next_index_stringl(return_value, (char *)chunk_pos, n);
} else {
add_next_index_stringl(return_value, "", 0);