Skip to content

Commit c34d4fb

Browse files
committed
Fix phpGH-16360 mb_substr overflow on start and length arguments.
occurs when they are negated to start working from the end instead when set with ZEND_LONG_MIN.
1 parent e2e2b3a commit c34d4fb

File tree

3 files changed

+37
-0
lines changed

3 files changed

+37
-0
lines changed

NEWS

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@ PHP NEWS
1717
. Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
1818
(nielsdos)
1919

20+
- MBstring:
21+
. Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
22+
(David Carlier)
23+
2024
- PHPDBG:
2125
. Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)
2226

ext/mbstring/mbstring.c

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2172,6 +2172,16 @@ PHP_FUNCTION(mb_substr)
21722172
Z_PARAM_STR_OR_NULL(encoding)
21732173
ZEND_PARSE_PARAMETERS_END();
21742174

2175+
if (from == ZEND_LONG_MIN) {
2176+
zend_argument_value_error(2, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (ZEND_LONG_MIN + 1), ZEND_LONG_MAX);
2177+
RETURN_THROWS();
2178+
}
2179+
2180+
if (!len_is_null && len == ZEND_LONG_MIN) {
2181+
zend_argument_value_error(3, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, (ZEND_LONG_MIN + 1), ZEND_LONG_MAX);
2182+
RETURN_THROWS();
2183+
}
2184+
21752185
string.encoding = php_mb_get_encoding(encoding, 4);
21762186
if (!string.encoding) {
21772187
RETURN_THROWS();

ext/mbstring/tests/gh16360.phpt

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
--TEST--
2+
GH-16320 mb_substr overflow from negative length
3+
--EXTENSIONS--
4+
mbstring
5+
--FILE--
6+
<?php
7+
try {
8+
mb_substr("abcd", PHP_INT_MIN, 4, "UTF-8");
9+
} catch (\ValueError $e) {
10+
echo $e->getMessage() . PHP_EOL;
11+
}
12+
try {
13+
mb_substr("abcd", 0, PHP_INT_MIN, "UTF-8");
14+
} catch (\ValueError $e) {
15+
echo $e->getMessage() . PHP_EOL;
16+
}
17+
var_dump(mb_substr("abcd", PHP_INT_MAX, PHP_INT_MAX, "UTF-8"));
18+
?>
19+
--EXPECTF--
20+
mb_substr(): Argument #2 ($start) must be between %s and %s
21+
mb_substr(): Argument #3 ($length) must be between %s and %s
22+
string(0) ""
23+

0 commit comments

Comments
 (0)