- MFH (manually): Fixed overflow in memnstr().

3 files changed, 20 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index ef64981d06..337b62994d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Aug 2008, Version 4.4.9
+- Fixed overflow in memnstr(). (Reported by Laurent Gaffie, Derick)
 	
 22 Jul 2008, Version 4.4.9RC1
 - Updated PCRE to version 7.7. (Nuno)
diff --git a/ext/standard/php_string.h b/ext/standard/php_string.h
index baa5fe8cbe..6a0aab973c 100644
--- a/ext/standard/php_string.h
+++ b/ext/standard/php_string.h
@@ -137,6 +137,10 @@ php_memnstr(char *haystack, char *needle, int needle_len, char *end)
 	char *p = haystack;
 	char ne = needle[needle_len-1];
 
+
+	if (needle_len > end - haystack) {
+		return NULL;
+	}
 	end -= needle_len;
 
 	while (p <= end) {
diff --git a/ext/standard/tests/strings/explode_bug.phpt b/ext/standard/tests/strings/explode_bug.phpt
new file mode 100644
index 0000000000..9766f0b8f4
--- /dev/null
+++ b/ext/standard/tests/strings/explode_bug.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Explode/memnstr bug
+--INI--
+error_reporting=2047
+memory_limit=256M
+--FILE--
+<?php
+$res = explode(str_repeat("A",145999999),1);
+var_dump($res);
+?>
+--EXPECTF--
+array(1) {
+  [0]=>
+  string(1) "1"
+}