Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4: Fix #72146: Integer overflow on substr_replace
2024-11-24 02:15:04 +08:00 · 2021-07-15 12:55:47 +02:00 · 2021-07-15 12:55:47 +02:00 · c0a1ef3e32
commit c0a1ef3e32
parent 567e53ea58 33f8dfb15a
3 changed files with 16 additions and 1 deletions
--- a/2
+++ b/2
@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2021, PHP 8.0.10

+- Standard:
+  . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)

 29 Jul 2021, PHP 8.0.9

--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@ -2395,7 +2395,9 @@ PHP_FUNCTION(substr_replace)
 				}
 			}

-			if ((f + l) > (zend_long)ZSTR_LEN(orig_str)) {
+			ZEND_ASSERT(0 <= f && f <= ZEND_LONG_MAX);
+			ZEND_ASSERT(0 <= l && l <= ZEND_LONG_MAX);
+			if (((size_t) f + l) > ZSTR_LEN(orig_str)) {
 				l = ZSTR_LEN(orig_str) - f;
 			}

--- a/ext/standard/tests/strings/bug72146.phpt
+++ b/ext/standard/tests/strings/bug72146.phpt
@ -0,0 +1,11 @@
+--TEST--
+Bug #72146 (Integer overflow on substr_replace)
+--FILE--
+<?php 
+var_dump(substr_replace(["ABCDE"], "123", 3, PHP_INT_MAX));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(6) "ABC123"
+}