Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:rkwasny
php
php-5.1.2-CVE-2007-1375.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.1.2-CVE-2007-1375.patch of Package php
--- ext/standard/string.c +++ ext/standard/string.c @@ -1955,11 +1955,19 @@ if (argc > 2) { convert_to_long_ex(len); l = Z_LVAL_PP(len); + if ((l < 0 && -l > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } else if (l > Z_STRLEN_PP(str)) { + l = Z_STRLEN_PP(str); + } } else { l = Z_STRLEN_PP(str); } f = Z_LVAL_PP(from); + if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } /* if "from" position is negative, count start position from the end * of the string @@ -1985,6 +1993,13 @@ RETURN_FALSE; } + + if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } else if (l > Z_STRLEN_PP(str) || (l < 0 && -l > Z_STRLEN_PP(str))) { + RETURN_FALSE; + } + if ((f + l) > Z_STRLEN_PP(str)) { l = Z_STRLEN_PP(str) - f; } @@ -4475,18 +4490,20 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset should be greater than or equal to 0."); RETURN_FALSE; } - p += Z_LVAL_PP(offset); - if (p > endp) { + + if (Z_LVAL_PP(offset) > Z_STRLEN_PP(haystack)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset value %ld exceeds string length.", Z_LVAL_PP(offset)); RETURN_FALSE; } + p += Z_LVAL_PP(offset); + if (ac == 4) { convert_to_long_ex(length); if (Z_LVAL_PP(length) <= 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be greater than 0."); RETURN_FALSE; } - if ((p + Z_LVAL_PP(length)) > endp) { + if ((p + Z_LVAL_PP(length)) <= p || (p + Z_LVAL_PP(length)) > endp) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length value %ld exceeds string length.", Z_LVAL_PP(length)); RETURN_FALSE; } @@ -4892,11 +4909,17 @@ offset = (offset < 0) ? 0 : offset; } - if ((offset + len) > s1_len) { + if(offset > s1_len) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length"); RETURN_FALSE; } + if(len > s1_len - offset) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length cannot exceed initial string length"); + RETURN_FALSE; + } + + cmp_len = (uint) (len ? len : MAX(s2_len, (s1_len - offset))); if (!cs) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor