Check string bounds in strspn/strcspn

strspn/strcspn are string search functions, and as such should throw
ValueError on out-of-bounds offsets, just like strpos etc do.

Author: nikic

ext/standard/basic_functions.stub.php

@@ -542,9 +542,9 @@ function bin2hex(string $data): string {}
 
 function hex2bin(string $data): string|false {}
 
-function strspn(string $str, string $mask, int $start = 0, ?int $len = null): int|false {}
+function strspn(string $str, string $mask, int $start = 0, ?int $len = null): int {}
 
-function strcspn(string $str, string $mask, int $start = 0, ?int $len = null): int|false {}
+function strcspn(string $str, string $mask, int $start = 0, ?int $len = null): int {}
 
 #if HAVE_NL_LANGINFO
 function nl_langinfo(int $item): string|false {}

ext/standard/basic_functions_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: e71146872a1913d2cef37132c8b27ce1dc9b1a39 */
+ * Stub hash: 3f866608d73047b04b6a1abb6cbfa75abfeeed58 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_set_time_limit, 0, 1, _IS_BOOL, 0)
 	ZEND_ARG_TYPE_INFO(0, seconds, IS_LONG, 0)
@@ -807,7 +807,7 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_hex2bin, 0, 1, MAY_BE_STRING|MAY
 	ZEND_ARG_TYPE_INFO(0, data, IS_STRING, 0)
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_strspn, 0, 2, MAY_BE_LONG|MAY_BE_FALSE)
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_strspn, 0, 2, IS_LONG, 0)
 	ZEND_ARG_TYPE_INFO(0, str, IS_STRING, 0)
 	ZEND_ARG_TYPE_INFO(0, mask, IS_STRING, 0)
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, start, IS_LONG, 0, "0")

ext/standard/string.c

@@ -258,33 +258,28 @@ static void php_spn_common_handler(INTERNAL_FUNCTION_PARAMETERS, int behavior) /
 		Z_PARAM_LONG_OR_NULL(len, len_is_null)
 	ZEND_PARSE_PARAMETERS_END();
 
-	if (len_is_null) {
-		len = ZSTR_LEN(s11);
-	}
-
-	/* look at substr() function for more information */
-
 	if (start < 0) {
 		start += (zend_long)ZSTR_LEN(s11);
-		if (start < 0) {
-			start = 0;
-		}
-	} else if ((size_t)start > ZSTR_LEN(s11)) {
-		RETURN_FALSE;
+	}
+	if (start < 0 || (size_t)start > ZSTR_LEN(s11)) {
+		zend_argument_value_error(3, "must be contained in argument #1 ($str)");
+		RETURN_THROWS();
 	}
 
-	if (len < 0) {
-		len += (ZSTR_LEN(s11) - start);
+	size_t remain_len = ZSTR_LEN(s11) - start;
+	if (!len_is_null) {
 		if (len < 0) {
-			len = 0;
+			len += remain_len;
 		}
+		if (len < 0 || (size_t)len > remain_len) {
+			zend_argument_value_error(4, "must be contained in argument #1 ($str)");
+			RETURN_THROWS();
+		}
+	} else {
+		len = remain_len;
 	}
 
-	if (len > (zend_long)ZSTR_LEN(s11) - start) {
-		len = ZSTR_LEN(s11) - start;
-	}
-
-	if(len == 0) {
+	if (len == 0) {
 		RETURN_LONG(0);
 	}
 
@@ -293,13 +288,13 @@ static void php_spn_common_handler(INTERNAL_FUNCTION_PARAMETERS, int behavior) /
 						ZSTR_VAL(s22) /*str2_start*/,
 						ZSTR_VAL(s11) + start + len /*str1_end*/,
 						ZSTR_VAL(s22) + ZSTR_LEN(s22) /*str2_end*/));
-	} else if (behavior == STR_STRCSPN) {
+	} else {
+		ZEND_ASSERT(behavior == STR_STRCSPN);
 		RETURN_LONG(php_strcspn(ZSTR_VAL(s11) + start /*str1_start*/,
 						ZSTR_VAL(s22) /*str2_start*/,
 						ZSTR_VAL(s11) + start + len /*str1_end*/,
 						ZSTR_VAL(s22) + ZSTR_LEN(s22) /*str2_end*/));
 	}
-
 }
 /* }}} */
 

ext/standard/tests/strings/bug40754.phpt

@@ -8,8 +8,17 @@ $v = 2147483647;
 var_dump(substr("abcde", 1, $v));
 var_dump(substr_replace("abcde", "x", $v, $v));
 
-var_dump(strspn("abcde", "abc", $v, $v));
-var_dump(strcspn("abcde", "abc", $v, $v));
+try {
+    var_dump(strspn("abcde", "abc", $v, $v));
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
+
+try {
+    var_dump(strcspn("abcde", "abc", $v, $v));
+} catch (ValueError $exception) {
+    echo $exception->getMessage() . "\n";
+}
 
 try {
     var_dump(substr_count("abcde", "abc", $v, $v));
@@ -79,8 +88,8 @@ var_dump(substr("abcde", $v, $v));
 --EXPECT--
 string(4) "bcde"
 string(6) "abcdex"
-bool(false)
-bool(false)
+strspn(): Argument #3 ($start) must be contained in argument #1 ($str)
+strcspn(): Argument #3 ($start) must be contained in argument #1 ($str)
 substr_count(): Argument #3 ($offset) must be contained in argument #1 ($haystack)
 substr_compare(): Argument #3 ($offset) must be contained in argument #1 ($main_str)
 stripos(): Argument #3 ($offset) must be contained in argument #1 ($haystack)

ext/standard/tests/strings/strcspn.phpt

@@ -9,12 +9,16 @@ var_dump($b);
 var_dump(strcspn($a,$b));
 var_dump(strcspn($a,$b,9));
 var_dump(strcspn($a,$b,9,6));
-var_dump(strcspn('a', 'B', 1, 2147483647));
+try {
+    var_dump(strcspn('a', 'B', 1, 2147483647));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
 string(25) "22222222aaaa bbb1111 cccc"
 string(4) "1234"
 int(0)
 int(7)
 int(6)
-int(0)
+strcspn(): Argument #4 ($len) must be contained in argument #1 ($str)

ext/standard/tests/strings/strcspn_basic.phpt

@@ -13,7 +13,7 @@ echo "*** Testing strcspn() : basic functionality ***\n";
 $str = "this is the test string";
 $mask = "es";
 $start = 15;
-$len = 30;
+$len = 3;
 
 // Calling strcspn() with all possible arguments
 var_dump( strcspn($str, $mask, $start, $len) );