Fixed possible buffer over run in php_mb_safe_strrchr_ex()

24 years ago · e40416ebf6
1 changed files with 13 additions and 4 deletions
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@ -3459,17 +3459,26 @@ MBSTRING_API char *php_mb_safe_strrchr_ex(const char *s, unsigned int c, size_t
 	char *last=NULL;

 	if (nbytes == (size_t)-1) {
+		size_t nb = 0;
+
 		while (*p != '\0') {
-			if ((unsigned int)*p == c) {
-				last = (char *)p;
+			if (nb == 0) {
+				if ((unsigned char)*p == (unsigned char)c) {
+					last = (char *)p;
+				}
+				nb = php_mb_mbchar_bytes_ex(p, enc);
+				if (nb == 0) {
+					return NULL; /* something is going wrong! */
+				}
 			}
-			p += php_mb_mbchar_bytes_ex(p, enc);
+			--nb;
+			++p;
 		}
 	} else {
 		register size_t bcnt = nbytes;
 		register size_t nbytes_char;
 		while (bcnt > 0) {
-			if ((unsigned int)*p == c) {
+			if ((unsigned char)*p == (unsigned char)c) {
 				last = (char *)p;
 			}
 			nbytes_char = php_mb_mbchar_bytes_ex(p, enc);