56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
Backported from 5.5 for 5.4 by Remi Collet
|
|
|
|
From f8dd10508bd66b6eefb18d319577b443fb1e0c55 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 28 Mar 2016 01:22:37 -0700
|
|
Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1)
|
|
in mbfl_strcut
|
|
|
|
---
|
|
ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++-----------------
|
|
main/php_version.h | 6 +++---
|
|
2 files changed, 20 insertions(+), 20 deletions(-)
|
|
|
|
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
|
|
index 3b14727..4986472 100644
|
|
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
|
|
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
|
|
@@ -1501,7 +1501,7 @@ mbfl_strcut(
|
|
if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) {
|
|
from &= -2;
|
|
|
|
- if (from + length >= string->len) {
|
|
+ if (length >= string->len - from) {
|
|
length = string->len - from;
|
|
}
|
|
|
|
@@ -1510,14 +1510,14 @@ mbfl_strcut(
|
|
} else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) {
|
|
from &= -4;
|
|
|
|
- if (from + length >= string->len) {
|
|
+ if (length >= string->len - from) {
|
|
length = string->len - from;
|
|
}
|
|
|
|
start = string->val + from;
|
|
end = start + (length & -4);
|
|
} else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
|
|
- if (from + length >= string->len) {
|
|
+ if (length >= string->len - from) {
|
|
length = string->len - from;
|
|
}
|
|
|
|
@@ -1539,7 +1539,7 @@ mbfl_strcut(
|
|
start = p;
|
|
|
|
/* search end position */
|
|
- if ((start - string->val) + length >= (int)string->len) {
|
|
+ if (length >= (int)string->len - (start - string->val)) {
|
|
end = string->val + string->len;
|
|
} else {
|
|
for (q = p + length; p < q; p += (m = mbtab[*p]));
|
|
--
|
|
2.1.4
|
|
|
