From: christopher dot jones at oracle dot com Operating system: Enterprise Linux PHP version: 5CVS-2007-03-08 (CVS) PHP Bug Type: Strings related Bug description: substr() checks overflow
Description: ------------ Related to the problems fixes in today's patches for substr_count() and substr_compare() there are issues with substr() and substr_replace(). Also there might be return value inconsistencies with strspn() and strcspn(). Reproduce code: --------------- <?php $v = 2147483647; # INT_MAX on 32bit Linux # Tries to allocate too much memory var_dump(substr("abcde", 1, $v)); var_dump(substr_replace("abcde", "x", $v, $v)); # Functions with ill-defined behavior var_dump(strspn("abcde", "abc", $v, $v)); # should return 0 but gives false var_dump(strcspn("abcde", "abc", $v, $v)); # should return 0 but gives false # Crashes var_dump(substr_count("abcde", "abc", $v, $v)); # crashes <= 5.2.1. Fixed by Ilia http://news.php.net/php.cvs/43456 var_dump(substr_compare("abcde", "abc", $v, $v)); # crashes <= 5.2.1. Fixed by Stanislav http://news.php.net/php.cvs/43453 # Other tests (currently working) var_dump(stripos("abcde", "abc", $v)); var_dump(substr_count("abcde", "abc", $v, 1)); var_dump(substr_count("abcde", "abc", 1, $v)); var_dump(strpos("abcde", "abc", $v)); var_dump(stripos("abcde", "abc", $v)); var_dump(strrpos("abcde", "abc", $v)); var_dump(strripos("abcde", "abc", $v)); var_dump(strncmp("abcde", "abc", $v)); var_dump(chunk_split("abcde", $v, "abc")); var_dump(substr("abcde", $v, $v)); var_dump(str_repeat("a", $v+1)); ?> -- Edit bug report at http://bugs.php.net/?id=40754&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40754&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40754&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40754&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40754&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40754&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40754&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40754&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40754&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40754&r=support Expected behavior: http://bugs.php.net/fix.php?id=40754&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40754&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40754&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40754&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40754&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40754&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40754&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40754&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40754&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40754&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40754&r=mysqlcfg