Overview

File php-5.1.2-CVE-2007-1375.patch of Package php

--- ext/standard/string.c
+++ ext/standard/string.c
@@ -1955,11 +1955,19 @@
 	if (argc > 2) {
 		convert_to_long_ex(len);
 		l = Z_LVAL_PP(len);
+                if ((l < 0 && -l > Z_STRLEN_PP(str))) {
+                        RETURN_FALSE;
+                } else if (l > Z_STRLEN_PP(str)) {
+                        l = Z_STRLEN_PP(str);
+                }
 	} else {
 		l = Z_STRLEN_PP(str);
 	}
 	
 	f = Z_LVAL_PP(from);
+        if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) {
+                RETURN_FALSE;
+        }
 
 	/* if "from" position is negative, count start position from the end
 	 * of the string
@@ -1985,6 +1993,13 @@
 		RETURN_FALSE;
 	}
 
+ 
+        if (f > Z_STRLEN_PP(str) || (f < 0 && -f > Z_STRLEN_PP(str))) {
+		RETURN_FALSE;
+        } else if (l > Z_STRLEN_PP(str) || (l < 0 && -l > Z_STRLEN_PP(str))) {
+                RETURN_FALSE;
+        }
+
 	if ((f + l) > Z_STRLEN_PP(str)) {
 		l = Z_STRLEN_PP(str) - f;
 	}
@@ -4475,18 +4490,20 @@
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset should be greater than or equal to 0.");
 			RETURN_FALSE;		
 		}
-		p += Z_LVAL_PP(offset);
-		if (p > endp) {
+
+                if (Z_LVAL_PP(offset) > Z_STRLEN_PP(haystack)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Offset value %ld exceeds string length.", Z_LVAL_PP(offset));
 			RETURN_FALSE;		
 		}
+                p += Z_LVAL_PP(offset);
+ 
 		if (ac == 4) {
 			convert_to_long_ex(length);
 			if (Z_LVAL_PP(length) <= 0) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be greater than 0.");
 				RETURN_FALSE;		
 			}
-			if ((p + Z_LVAL_PP(length)) > endp) {
+                        if ((p + Z_LVAL_PP(length)) <= p || (p + Z_LVAL_PP(length)) > endp) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length value %ld exceeds string length.", Z_LVAL_PP(length));
 				RETURN_FALSE;
 			}
@@ -4892,11 +4909,17 @@
 		offset = (offset < 0) ? 0 : offset;
 	}
 
-	if ((offset + len) > s1_len) {
+        if(offset > s1_len) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length");
 		RETURN_FALSE;
 	}
 
+        if(len > s1_len - offset) {
+                php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length cannot exceed initial string length");
+                RETURN_FALSE;
+        }
+
+
 	cmp_len = (uint) (len ? len : MAX(s2_len, (s1_len - offset)));
 
 	if (!cs) {
openSUSE Build Service is sponsored by
Places