[PHP-CVS] cvs: php-src(PHP_5_2) /ext/standard string.c

Wed, 06 Jun 2007 10:59:35 -0700 

stas            Wed Jun  6 17:59:08 2007 UTC

  Modified files:              (Branch: PHP_5_2)
    /php-src/ext/standard       string.c 
  Log:
  Fix chunk_split fix - avoid using floats
  Fix money_format - don't give strfmon more arguments then supplied
  Fix str[c]spn integer overflow
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.60&r2=1.445.2.14.2.61&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.445.2.14.2.60 
php-src/ext/standard/string.c:1.445.2.14.2.61
--- php-src/ext/standard/string.c:1.445.2.14.2.60       Tue Jun  5 13:35:26 2007
+++ php-src/ext/standard/string.c       Wed Jun  6 17:59:07 2007
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.445.2.14.2.60 2007/06/05 13:35:26 tony2001 Exp $ */
+/* $Id: string.c,v 1.445.2.14.2.61 2007/06/06 17:59:07 stas Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -239,10 +239,14 @@
                }
        }
        
-       if ((start + len) > len1) {
+       if (len > len1 - start) {
                len = len1 - start;
        }
 
+       if(len == 0) {
+               RETURN_LONG(0);
+       }
+
        if (behavior == STR_STRSPN) {
                RETURN_LONG(php_strspn(s11 + start /*str1_start*/,
                                                s22 /*str2_start*/,
@@ -1956,18 +1960,23 @@
        char *p, *q;
        int chunks; /* complete chunks! */
        int restlen;
-       float out_len; 
+       int out_len; 
 
        chunks = srclen / chunklen;
        restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
+       if(chunks > INT_MAX - 1) {
+               return NULL;
+       }
        out_len = chunks + 1;
+       if(out_len > INT_MAX/endlen) {
+               return NULL;
+       }
        out_len *= endlen;
-       out_len += srclen + 1;
-
-       if (out_len > INT_MAX || out_len <= 0) {
+       if(out_len > INT_MAX - srclen - 1) {
                return NULL;
        }
+       out_len += srclen + 1;
 
        dest = safe_emalloc((int)out_len, sizeof(char), 0);
 
@@ -4985,13 +4994,28 @@
 PHP_FUNCTION(money_format)
 {
        int format_len = 0, str_len;
-       char *format, *str;
+       char *format, *str, *p, *e;
        double value;
+       zend_bool check = 0;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd", &format, 
&format_len, &value) == FAILURE) {
                return;
        }
 
+       p = format;
+       e = p + format_len;
+       while ((p = memchr(p, '%', (e - p)))) {
+               if (*(p + 1) == '%') {
+                       p += 2; 
+               } else if (!check) {
+                       check = 1;
+                       p++;
+               } else {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a 
single %%i or %%n token can be used");
+                       RETURN_FALSE;
+               }
+       }
+
        str_len = format_len + 1024;
        str = emalloc(str_len);
        if ((str_len = strfmon(str, str_len, format, value)) < 0) {

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to