diff --git a/ext/standard/string.c b/ext/standard/string.c index 9930110624c..3d6dabfe7a5 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -1842,7 +1842,7 @@ PHP_FUNCTION(strrpos) p = haystack + offset; e = haystack + haystack_len - needle_len; } else { - if (-offset > haystack_len) { + if (-offset > haystack_len || offset < -INT_MAX) { php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Offset is greater than the length of haystack string"); RETURN_FALSE; } diff --git a/ext/standard/tests/strings/strrpos_offset.phpt b/ext/standard/tests/strings/strrpos_offset.phpt new file mode 100644 index 00000000000..6d641ab1e1a --- /dev/null +++ b/ext/standard/tests/strings/strrpos_offset.phpt @@ -0,0 +1,41 @@ +--TEST-- +strrpos() offset integer overflow +--FILE-- + +--EXPECTF-- +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) + +Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d +bool(false) +Done