php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-21 06:51:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed segfault (op2 maybe equal to result)

Browse Source
This commit is contained in:
Xinchen Hui
2014-03-05 15:42:57 +08:00
parent dd7c7e6fb2
commit dc889b69ef
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Zend/zend_operators.c
View File

@@ -1389,16 +1389,17 @@ ZEND_API int concat_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{
}
if (result==op1 && !IS_INTERNED(Z_STR_P(op1))) { /* special case, perform operations on result */
uint op1_len = Z_STRLEN_P(op1);
uint res_len = op1_len + Z_STRLEN_P(op2);
uint op2_len = Z_STRLEN_P(op2);
uint res_len = op1_len + op2_len;
if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) + Z_STRLEN_P(op2)) < 0) {
if (Z_STRLEN_P(result) < 0 || (int) (op1_len + op2_len) < 0) {
ZVAL_EMPTY_STRING(result);
zend_error(E_ERROR, "String size overflow");
}
Z_STR_P(result) = STR_REALLOC(Z_STR_P(result), res_len, 0 );
memcpy(Z_STRVAL_P(result) + op1_len, Z_STRVAL_P(op2), Z_STRLEN_P(op2));
memcpy(Z_STRVAL_P(result) + op1_len, Z_STRVAL_P(op2), op2_len);
Z_STRVAL_P(result)[res_len]=0;
} else {
int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);