fix possible substr_compare() crash

add new tests
20 years ago · 896a5216d7
3 changed files with 60 additions and 2 deletions
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@ -4884,13 +4884,19 @@ PHP_FUNCTION(substr_compare)
 		RETURN_FALSE;
 	}

-	if ((offset + len) >= s1_len) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length.");
+	if (ZEND_NUM_ARGS() >= 4 && len <= 0) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The length must be greater than zero");
 		RETURN_FALSE;
 	}

 	if (offset < 0) {
 		offset = s1_len + offset;
+		offset = (offset < 0) ? 0 : offset;
+	}
+
+	if ((offset + len) >= s1_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length");
+		RETURN_FALSE;
 	}

 	cmp_len = (uint) (len ? len : MAX(s2_len, (s1_len - offset)));
--- a/ext/standard/tests/strings/bug33605.phpt
+++ b/ext/standard/tests/strings/bug33605.phpt
@ -0,0 +1,11 @@
+--TEST--
+Bug #33605 (substr_compare crashes)
+--FILE--
+<?php
+$res = substr_compare("aa", "a", -99999999, 0, 0);
+var_dump($res);
+
+?>
+--EXPECTF--
+Warning: substr_compare(): The length must be greater than zero in %s on line %d
+bool(false)
--- a/ext/standard/tests/strings/substr_compare.phpt
+++ b/ext/standard/tests/strings/substr_compare.phpt
@ -0,0 +1,41 @@
+--TEST--
+substr_compare()
+--FUNCTIONS--
+substr_compare
+--FILE--
+<?php
+
+var_dump(substr_compare("abcde", "bc", 1, 2));
+var_dump(substr_compare("abcde", "bcg", 1, 2));
+var_dump(substr_compare("abcde", "BC", 1, 2, true));
+var_dump(substr_compare("abcde", "bc", 1, 3));
+var_dump(substr_compare("abcde", "cd", 1, 2));
+var_dump(substr_compare("abcde", "abc", 5, 1));
+
+var_dump(substr_compare("abcde", -1, 0, NULL, new stdClass));
+echo "Test\n";
+var_dump(substr_compare("abcde", "abc", -1, NULL, -5));
+var_dump(substr_compare("abcde", -1, 0, "str", new stdClass));
+
+echo "Done\n";
+?>
+--EXPECTF--
+int(0)
+int(0)
+int(0)
+int(1)
+int(-1)
+
+Warning: substr_compare(): The start position cannot exceed initial string length in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 5 to be boolean, object given in %s on line %d
+bool(false)
+Test
+
+Warning: substr_compare(): The length must be greater than zero in %s on line %d
+bool(false)
+
+Warning: substr_compare() expects parameter 4 to be long, string given in %s on line %d
+bool(false)
+Done