File php-CVE-2016-4540,4541.patch of Package php5

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fintl%2Fgrapheme%2Fgrapheme_string.c;h=3ba9b515240d31c9566090ff9a7c78e55efb4d7d;hp=8a094e015e43330b53d566af8a35811986951f21;hb=fd9689745c44341b1bd6af4756f324be8abba2fb;hpb=b15f0ecc0f34364fd7ce924b4164be4e8198ff93

diff --git a/ext/intl/grapheme/grapheme_string.c b/ext/intl/grapheme/grapheme_string.c
index 8a094e0..3ba9b51 100644
--- a/ext/intl/grapheme/grapheme_string.c
+++ b/ext/intl/grapheme/grapheme_string.c
@@ -112,7 +112,7 @@ PHP_FUNCTION(grapheme_strpos)
 	int haystack_len, needle_len;
 	unsigned char *found;
 	long loffset = 0;
-	int32_t offset = 0;
+	int32_t offset = 0, noffset = 0;
 	int ret_pos;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", (char **)&haystack, &haystack_len, (char **)&needle, &needle_len, &loffset) == FAILURE) {
@@ -132,6 +132,7 @@ PHP_FUNCTION(grapheme_strpos)
 
 	/* we checked that it will fit: */
 	offset = (int32_t) loffset;
+	noffset = offset >= 0 ? offset : haystack_len + offset;
 
 	/* the offset is 'grapheme count offset' so it still might be invalid - we'll check it later */
 
@@ -146,7 +147,7 @@ PHP_FUNCTION(grapheme_strpos)
 	/* quick check to see if the string might be there
 	 * I realize that 'offset' is 'grapheme count offset' but will work in spite of that
 	*/
-	found = (unsigned char *)php_memnstr((char *)haystack + offset, (char *)needle, needle_len, (char *)haystack + haystack_len);
+	found = (unsigned char *)php_memnstr((char *)haystack + noffset, (char *)needle, needle_len, (char *)haystack + haystack_len);
 
 	/* if it isn't there the we are done */
 	if (!found) {
@@ -214,12 +215,13 @@ PHP_FUNCTION(grapheme_stripos)
 	is_ascii = ( grapheme_ascii_check(haystack, haystack_len) >= 0 );
 
 	if ( is_ascii ) {
+		int32_t noffset = offset >= 0 ? offset : haystack_len + offset;
 		needle_dup = (unsigned char *)estrndup((char *)needle, needle_len);
 		php_strtolower((char *)needle_dup, needle_len);
 		haystack_dup = (unsigned char *)estrndup((char *)haystack, haystack_len);
 		php_strtolower((char *)haystack_dup, haystack_len);
 
-		found = (unsigned char*) php_memnstr((char *)haystack_dup + offset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len);
+		found = (unsigned char*) php_memnstr((char *)haystack_dup + noffset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len);
 
 		efree(haystack_dup);
 		efree(needle_dup);