Ask a Question related to PHP Bugs, Design and Development.
-
christopher dot jones at oracle dot com #1
#40754 [NEW]: substr() checks overflow
From: christopher dot jones at oracle dot com
Operating system: Enterprise Linux
PHP version: 5CVS-2007-03-08 (CVS)
PHP Bug Type: Strings related
Bug description: substr() checks overflow
Description:
------------
Related to the problems fixes in today's patches for substr_count() and
substr_compare() there are issues with substr() and substr_replace().
Also there might be return value inconsistencies with strspn() and
strcspn().
Reproduce code:
---------------
<?php
$v = 2147483647; # INT_MAX on 32bit Linux
# Tries to allocate too much memory
var_dump(substr("abcde", 1, $v));
var_dump(substr_replace("abcde", "x", $v, $v));
# Functions with ill-defined behavior
var_dump(strspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
var_dump(strcspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
# Crashes
var_dump(substr_count("abcde", "abc", $v, $v)); # crashes <= 5.2.1.
Fixed by Ilia [url]http://news.php.net/php.cvs/43456[/url]
var_dump(substr_compare("abcde", "abc", $v, $v)); # crashes <= 5.2.1.
Fixed by Stanislav [url]http://news.php.net/php.cvs/43453[/url]
# Other tests (currently working)
var_dump(stripos("abcde", "abc", $v));
var_dump(substr_count("abcde", "abc", $v, 1));
var_dump(substr_count("abcde", "abc", 1, $v));
var_dump(strpos("abcde", "abc", $v));
var_dump(stripos("abcde", "abc", $v));
var_dump(strrpos("abcde", "abc", $v));
var_dump(strripos("abcde", "abc", $v));
var_dump(strncmp("abcde", "abc", $v));
var_dump(chunk_split("abcde", $v, "abc"));
var_dump(substr("abcde", $v, $v));
var_dump(str_repeat("a", $v+1));
?>
--
Edit bug report at [url]http://bugs.php.net/?id=40754&edit=1[/url]
--
Try a CVS snapshot (PHP 4.4): [url]http://bugs.php.net/fix.php?id=40754&r=trysnapshot44[/url]
Try a CVS snapshot (PHP 5.2): [url]http://bugs.php.net/fix.php?id=40754&r=trysnapshot52[/url]
Try a CVS snapshot (PHP 6.0): [url]http://bugs.php.net/fix.php?id=40754&r=trysnapshot60[/url]
Fixed in CVS: [url]http://bugs.php.net/fix.php?id=40754&r=fixedcvs[/url]
Fixed in release: [url]http://bugs.php.net/fix.php?id=40754&r=alreadyfixed[/url]
Need backtrace: [url]http://bugs.php.net/fix.php?id=40754&r=needtrace[/url]
Need Reproduce Script: [url]http://bugs.php.net/fix.php?id=40754&r=needscript[/url]
Try newer version: [url]http://bugs.php.net/fix.php?id=40754&r=oldversion[/url]
Not developer issue: [url]http://bugs.php.net/fix.php?id=40754&r=support[/url]
Expected behavior: [url]http://bugs.php.net/fix.php?id=40754&r=notwrong[/url]
Not enough info: [url]http://bugs.php.net/fix.php?id=40754&r=notenoughinfo[/url]
Submitted twice: [url]http://bugs.php.net/fix.php?id=40754&r=submittedtwice[/url]
register_globals: [url]http://bugs.php.net/fix.php?id=40754&r=globals[/url]
PHP 3 support discontinued: [url]http://bugs.php.net/fix.php?id=40754&r=php3[/url]
Daylight Savings: [url]http://bugs.php.net/fix.php?id=40754&r=dst[/url]
IIS Stability: [url]http://bugs.php.net/fix.php?id=40754&r=isapi[/url]
Install GNU Sed: [url]http://bugs.php.net/fix.php?id=40754&r=gnused[/url]
Floating point limitations: [url]http://bugs.php.net/fix.php?id=40754&r=float[/url]
No Zend Extensions: [url]http://bugs.php.net/fix.php?id=40754&r=nozend[/url]
MySQL Configuration Error: [url]http://bugs.php.net/fix.php?id=40754&r=mysqlcfg[/url]
christopher dot jones at oracle dot com Guest
-
Help translating fread to substr
Dear All Im having some dificulty here: I found a great PHP code by Catalin Mihaila that reads a SRC (Sinclair Spectrum $SCREEN Image Format)... -
[PHP-DEV] [PATCH] substr() returns false
--=-sQWDp5Weadel0FX8XkrW Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, Even though this is documented, it is strange... -
substr parsing mask
Does anyone have a short routine for displaying mask on some values and displaying the value of the last four? For example, alot of site display... -
[PHP] substr ?
How can I find out if $mystring includes the character "¶"? Thought substr would do it? J -
InStr, substr, Mid ???
I have a field name "tracks" of string data type that has multiple names in it (for example: calder delaware$ aqueduct ), and I want to check to... -
christopher dot jones at oracle dot com #2 #40754 [Opn]: substr() checks overflow
ID: 40754
User updated by: christopher dot jones at oracle dot com
Reported By: christopher dot jones at oracle dot com
Status: Open
Bug Type: Strings related
Operating System: Enterprise Linux
PHP Version: 5CVS-2007-03-08 (CVS)
New Comment:
I've sent a patch and testcase to Tony.
Previous Comments:
------------------------------------------------------------------------
[2007-03-08 00:57:37] christopher dot jones at oracle dot com
Description:
------------
Related to the problems fixes in today's patches for substr_count() and
substr_compare() there are issues with substr() and substr_replace().
Also there might be return value inconsistencies with strspn() and
strcspn().
Reproduce code:
---------------
<?php
$v = 2147483647; # INT_MAX on 32bit Linux
# Tries to allocate too much memory
var_dump(substr("abcde", 1, $v));
var_dump(substr_replace("abcde", "x", $v, $v));
# Functions with ill-defined behavior
var_dump(strspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
var_dump(strcspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
# Crashes
var_dump(substr_count("abcde", "abc", $v, $v)); # crashes <= 5.2.1.
Fixed by Ilia [url]http://news.php.net/php.cvs/43456[/url]
var_dump(substr_compare("abcde", "abc", $v, $v)); # crashes <= 5.2.1.
Fixed by Stanislav [url]http://news.php.net/php.cvs/43453[/url]
# Other tests (currently working)
var_dump(stripos("abcde", "abc", $v));
var_dump(substr_count("abcde", "abc", $v, 1));
var_dump(substr_count("abcde", "abc", 1, $v));
var_dump(strpos("abcde", "abc", $v));
var_dump(stripos("abcde", "abc", $v));
var_dump(strrpos("abcde", "abc", $v));
var_dump(strripos("abcde", "abc", $v));
var_dump(strncmp("abcde", "abc", $v));
var_dump(chunk_split("abcde", $v, "abc"));
var_dump(substr("abcde", $v, $v));
var_dump(str_repeat("a", $v+1));
?>
------------------------------------------------------------------------
--
Edit this bug report at [url]http://bugs.php.net/?id=40754&edit=1[/url]
christopher dot jones at oracle dot com Guest
-
iliaa@php.net #3 #40754 [Opn->Csd]: substr() checks overflow
ID: 40754
Updated by: [email]iliaa@php.net[/email]
Reported By: christopher dot jones at oracle dot com
-Status: Open
+Status: Closed
Bug Type: Strings related
Operating System: Enterprise Linux
PHP Version: 5CVS-2007-03-08 (CVS)
New Comment:
This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
[url]http://snaps.php.net/[/url].
Thank you for the report, and for helping us make PHP better.
The strspn() and strcspn() is expected behavior.
Previous Comments:
------------------------------------------------------------------------
[2007-03-09 01:01:45] christopher dot jones at oracle dot com
I've sent a patch and testcase to Tony.
------------------------------------------------------------------------
[2007-03-08 00:57:37] christopher dot jones at oracle dot com
Description:
------------
Related to the problems fixes in today's patches for substr_count() and
substr_compare() there are issues with substr() and substr_replace().
Also there might be return value inconsistencies with strspn() and
strcspn().
Reproduce code:
---------------
<?php
$v = 2147483647; # INT_MAX on 32bit Linux
# Tries to allocate too much memory
var_dump(substr("abcde", 1, $v));
var_dump(substr_replace("abcde", "x", $v, $v));
# Functions with ill-defined behavior
var_dump(strspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
var_dump(strcspn("abcde", "abc", $v, $v)); # should return 0 but gives
false
# Crashes
var_dump(substr_count("abcde", "abc", $v, $v)); # crashes <= 5.2.1.
Fixed by Ilia [url]http://news.php.net/php.cvs/43456[/url]
var_dump(substr_compare("abcde", "abc", $v, $v)); # crashes <= 5.2.1.
Fixed by Stanislav [url]http://news.php.net/php.cvs/43453[/url]
# Other tests (currently working)
var_dump(stripos("abcde", "abc", $v));
var_dump(substr_count("abcde", "abc", $v, 1));
var_dump(substr_count("abcde", "abc", 1, $v));
var_dump(strpos("abcde", "abc", $v));
var_dump(stripos("abcde", "abc", $v));
var_dump(strrpos("abcde", "abc", $v));
var_dump(strripos("abcde", "abc", $v));
var_dump(strncmp("abcde", "abc", $v));
var_dump(chunk_split("abcde", $v, "abc"));
var_dump(substr("abcde", $v, $v));
var_dump(str_repeat("a", $v+1));
?>
------------------------------------------------------------------------
--
Edit this bug report at [url]http://bugs.php.net/?id=40754&edit=1[/url]
iliaa@php.net Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
