php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-26 01:02:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix bug #55871 - Interruption in substr_replace()

Browse Source
This commit is contained in:
Stanislav Malyshev
2012-01-02 00:47:57 +00:00
parent 2a687aed1a
commit cbcddcb02e
3 changed files with 290 additions and 229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@@ -4,12 +4,13 @@ PHP NEWS
- Core:
. Fixed bug #60613 (Segmentation fault with $cls->{expr}() syntax). (Dmitry)
. Fixed bug #60611 (Segmentation fault with Cls::{expr}() syntax). (Laruence)
. Fixed bug #55871 (Interruption in substr_replace()). (Stas)
- SAPI:
. Fixed bug #54374 (Insufficient validating of upload name leading to
corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com)
. Fixed bug #55500 (Corrupted $_FILES indices lead to security concern).
(Stas)
. Fixed bug #54374 (Insufficient validating of upload name leading to
corrupted $_FILES indices). (Stas, lekensteyn at gmail dot com)
- CLI SAPI:
. Fixed bug #60591 (Memory leak when access a non-exists file). (Laruence)

467
ext/standard/string.c
View File

File diff suppressed because it is too large Load Diff

47
ext/standard/tests/strings/bug55871.phpt Normal file
View File

@@ -0,0 +1,47 @@
--TEST--
Bug #55871 (Interruption in substr_replace())
--FILE--
<?php
class test1 {
public function __toString() {
preg_match('//', '', $GLOBALS['my_var']);
return '';
}
}
class test2 {
public function __toString() {
$GLOBALS['my_var'] += 0x08048000;
return '';
}
}
class test3 {
public function __toString() {
$GLOBALS['my_var'] .= "AAAAAAAA";
return '';
}
}
$my_var = str_repeat('A', 40);
$out = substr_replace(array(&$my_var), array(new test1), 40, 0);
var_dump($out);
$my_var = str_repeat('A', 40);
$out = substr_replace(array(&$my_var), array(new test2), 40, 0);
var_dump($out);
$my_var = str_repeat('A', 40);
$out = substr_replace(array(&$my_var), array(new test3), 40, 0);
var_dump($out);
--EXPECTF--
Warning: substr_replace(): Argument was modified while replacing in %s on line %d
array(0) {
}
Warning: substr_replace(): Argument was modified while replacing in %s on line %d
array(0) {
}
Warning: substr_replace(): Argument was modified while replacing in %s on line %d
array(0) {
}