1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
--- old/ext/standard/string.c 2007/05/24 21:29:27 1.445.2.14.2.57
+++ new/ext/standard/string.c 2007/06/06 18:15:41 1.445.2.14.2.62
@@ -239,10 +239,14 @@
}
}
- if ((start + len) > len1) {
+ if (len > len1 - start) {
len = len1 - start;
}
+ if(len == 0) {
+ RETURN_LONG(0);
+ }
+
if (behavior == STR_STRSPN) {
RETURN_LONG(php_strspn(s11 + start /*str1_start*/,
s22 /*str2_start*/,
@@ -1956,11 +1960,25 @@
char *p, *q;
int chunks; /* complete chunks! */
int restlen;
+ int out_len;
chunks = srclen / chunklen;
restlen = srclen - chunks * chunklen; /* srclen % chunklen */
- dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0);
+ if(chunks > INT_MAX - 1) {
+ return NULL;
+ }
+ out_len = chunks + 1;
+ if(endlen !=0 && out_len > INT_MAX/endlen) {
+ return NULL;
+ }
+ out_len *= endlen;
+ if(out_len > INT_MAX - srclen - 1) {
+ return NULL;
+ }
+ out_len += srclen + 1;
+
+ dest = safe_emalloc((int)out_len, sizeof(char), 0);
for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
memcpy(q, p, chunklen);
|
