Skip to content

Commit c6ff5be

Browse files
weltlingweltling
committed
add range checks
1 parent a96f99e commit c6ff5be

File tree

1 file changed

+11
-11
lines changed

1 file changed

+11
-11
lines changed

ext/dom/characterdata.c

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -173,7 +173,7 @@ PHP_FUNCTION(dom_characterdata_substring_data)
173173

174174
length = xmlUTF8Strlen(cur);
175175

176-
if (offset < 0 || count < 0 || offset > length) {
176+
if (offset < 0 || count < 0 || ZEND_LONG_INT_OVFL(offset) || ZEND_LONG_INT_OVFL(count) || offset > length) {
177177
xmlFree(cur);
178178
php_dom_throw_error(INDEX_SIZE_ERR, dom_get_strict_error(intern->document));
179179
RETURN_FALSE;
@@ -183,7 +183,7 @@ PHP_FUNCTION(dom_characterdata_substring_data)
183183
count = length - offset;
184184
}
185185

186-
substring = xmlUTF8Strsub(cur, offset, count);
186+
substring = xmlUTF8Strsub(cur, (int)offset, (int)count);
187187
xmlFree(cur);
188188

189189
if (substring) {
@@ -257,14 +257,14 @@ PHP_FUNCTION(dom_characterdata_insert_data)
257257

258258
length = xmlUTF8Strlen(cur);
259259

260-
if (offset < 0 || offset > length) {
260+
if (offset < 0 || ZEND_LONG_INT_OVFL(offset) || offset > length) {
261261
xmlFree(cur);
262262
php_dom_throw_error(INDEX_SIZE_ERR, dom_get_strict_error(intern->document));
263263
RETURN_FALSE;
264264
}
265265

266-
first = xmlUTF8Strndup(cur, offset);
267-
second = xmlUTF8Strsub(cur, offset, length - offset);
266+
first = xmlUTF8Strndup(cur, (int)offset);
267+
second = xmlUTF8Strsub(cur, (int)offset, length - (int)offset);
268268
xmlFree(cur);
269269

270270
xmlNodeSetContent(node, first);
@@ -304,14 +304,14 @@ PHP_FUNCTION(dom_characterdata_delete_data)
304304

305305
length = xmlUTF8Strlen(cur);
306306

307-
if (offset < 0 || count < 0 || offset > length) {
307+
if (offset < 0 || count < 0 || ZEND_LONG_INT_OVFL(offset) || ZEND_LONG_INT_OVFL(count) || offset > length) {
308308
xmlFree(cur);
309309
php_dom_throw_error(INDEX_SIZE_ERR, dom_get_strict_error(intern->document));
310310
RETURN_FALSE;
311311
}
312312

313313
if (offset > 0) {
314-
substring = xmlUTF8Strsub(cur, 0, offset);
314+
substring = xmlUTF8Strsub(cur, 0, (int)offset);
315315
} else {
316316
substring = NULL;
317317
}
@@ -320,7 +320,7 @@ PHP_FUNCTION(dom_characterdata_delete_data)
320320
count = length - offset;
321321
}
322322

323-
second = xmlUTF8Strsub(cur, offset + count, length - offset);
323+
second = xmlUTF8Strsub(cur, (int)offset + (int)count, length - (int)offset);
324324
substring = xmlStrcat(substring, second);
325325

326326
xmlNodeSetContent(node, substring);
@@ -361,14 +361,14 @@ PHP_FUNCTION(dom_characterdata_replace_data)
361361

362362
length = xmlUTF8Strlen(cur);
363363

364-
if (offset < 0 || count < 0 || offset > length) {
364+
if (offset < 0 || count < 0 || ZEND_LONG_INT_OVFL(offset) || ZEND_LONG_INT_OVFL(count) || offset > length) {
365365
xmlFree(cur);
366366
php_dom_throw_error(INDEX_SIZE_ERR, dom_get_strict_error(intern->document));
367367
RETURN_FALSE;
368368
}
369369

370370
if (offset > 0) {
371-
substring = xmlUTF8Strsub(cur, 0, offset);
371+
substring = xmlUTF8Strsub(cur, 0, (int)offset);
372372
} else {
373373
substring = NULL;
374374
}
@@ -378,7 +378,7 @@ PHP_FUNCTION(dom_characterdata_replace_data)
378378
}
379379

380380
if (offset < length) {
381-
second = xmlUTF8Strsub(cur, offset + count, length - offset);
381+
second = xmlUTF8Strsub(cur, (int)offset + count, length - (int)offset);
382382
}
383383

384384
substring = xmlStrcat(substring, (xmlChar *) arg);

0 commit comments

Comments
 (0)