#40754 [NEW]: substr() checks overflow

christopher dot jones at oracle dot com Wed, 07 Mar 2007 16:57:50 -0800

From:             christopher dot jones at oracle dot com
Operating system: Enterprise Linux
PHP version:      5CVS-2007-03-08 (CVS)
PHP Bug Type:     Strings related
Bug description:  substr() checks overflow


Description:
------------
Related to the problems fixes in today's patches for substr_count() and
substr_compare() there are issues with substr() and substr_replace().
Also there might be return value inconsistencies with strspn() and
strcspn().

Reproduce code:
---------------
<?php

$v = 2147483647;  # INT_MAX on 32bit Linux

# Tries to allocate too much memory
var_dump(substr("abcde", 1, $v));
var_dump(substr_replace("abcde", "x", $v, $v));

# Functions with ill-defined behavior
var_dump(strspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
var_dump(strcspn("abcde", "abc", $v, $v)); # should return 0 but gives
false

# Crashes
var_dump(substr_count("abcde", "abc", $v, $v));    # crashes <= 5.2.1.
Fixed by Ilia http://news.php.net/php.cvs/43456
var_dump(substr_compare("abcde", "abc", $v, $v));  # crashes <= 5.2.1.
Fixed by Stanislav http://news.php.net/php.cvs/43453

# Other tests (currently working)
var_dump(stripos("abcde", "abc", $v));
var_dump(substr_count("abcde", "abc", $v, 1));
var_dump(substr_count("abcde", "abc", 1, $v));
var_dump(strpos("abcde", "abc", $v));
var_dump(stripos("abcde", "abc", $v));
var_dump(strrpos("abcde", "abc", $v));
var_dump(strripos("abcde", "abc", $v));
var_dump(strncmp("abcde", "abc", $v));
var_dump(chunk_split("abcde", $v, "abc"));
var_dump(substr("abcde", $v, $v));
var_dump(str_repeat("a", $v+1));

?>



-- 
Edit bug report at http://bugs.php.net/?id=40754&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=40754&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=40754&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=40754&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=40754&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=40754&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=40754&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=40754&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=40754&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=40754&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=40754&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=40754&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=40754&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=40754&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=40754&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=40754&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=40754&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=40754&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=40754&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=40754&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=40754&r=mysqlcfg

#40754 [NEW]: substr() checks overflow

Reply via email to