diff options
Diffstat (limited to 'bug71906.patch')
-rw-r--r-- | bug71906.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/bug71906.patch b/bug71906.patch new file mode 100644 index 0000000..6a29692 --- /dev/null +++ b/bug71906.patch @@ -0,0 +1,55 @@ +Backported from 5.5 for 5.4 by Remi Collet + +From f8dd10508bd66b6eefb18d319577b443fb1e0c55 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 28 Mar 2016 01:22:37 -0700 +Subject: [PATCH] Fixed bug #71906: AddressSanitizer: negative-size-param (-1) + in mbfl_strcut + +--- + ext/mbstring/libmbfl/mbfl/mbfilter.c | 34 +++++++++++++++++----------------- + main/php_version.h | 6 +++--- + 2 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c +index 3b14727..4986472 100644 +--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c ++++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c +@@ -1501,7 +1501,7 @@ mbfl_strcut( + if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) { + from &= -2; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1510,14 +1510,14 @@ mbfl_strcut( + } else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) { + from &= -4; + +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + + start = string->val + from; + end = start + (length & -4); + } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { +- if (from + length >= string->len) { ++ if (length >= string->len - from) { + length = string->len - from; + } + +@@ -1539,7 +1539,7 @@ mbfl_strcut( + start = p; + + /* search end position */ +- if ((start - string->val) + length >= (int)string->len) { ++ if (length >= (int)string->len - (start - string->val)) { + end = string->val + string->len; + } else { + for (q = p + length; p < q; p += (m = mbtab[*p])); +-- +2.1.4 + |