summaryrefslogtreecommitdiff
path: root/Zend/zend_execute.c
diff options
context:
space:
mode:
authorZeev Suraski <zeev@php.net>2001-02-05 22:27:47 +0000
committerZeev Suraski <zeev@php.net>2001-02-05 22:27:47 +0000
commitc3531b375005d7d618c8101f6f4810f5abee29d4 (patch)
tree38c1d44842cd0c90cb44f49e2565d1c8944f77b0 /Zend/zend_execute.c
parentbf84618244ec08a96b79594a35c496e431cbe909 (diff)
downloadphp-git-c3531b375005d7d618c8101f6f4810f5abee29d4.tar.gz
Fix string offset data corruption
Diffstat (limited to 'Zend/zend_execute.c')
-rw-r--r--Zend/zend_execute.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index bfebe66524..03bb80c18b 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -98,6 +98,7 @@ static inline zval *_get_zval_ptr(znode *node, temp_variable *Ts, int *should_fr
zval *str = T->EA.data.str_offset.str;
if (T->EA.data.str_offset.str->type != IS_STRING
+ || (T->EA.data.str_offset.offset<0)
|| (T->EA.data.str_offset.str->value.str.len <= T->EA.data.str_offset.offset)) {
T->tmp_var.value.str.val = empty_string;
T->tmp_var.value.str.len = 0;
@@ -263,6 +264,7 @@ static inline void zend_assign_to_variable(znode *result, znode *op1, znode *op2
temp_variable *T = &Ts[op1->u.var];
if (T->EA.data.str_offset.str->type == IS_STRING
+ && (T->EA.data.str_offset.offset >= 0)
&& (T->EA.data.str_offset.offset < T->EA.data.str_offset.str->value.str.len)) {
zval tmp;
zval *final_value = value;
View Lorry Controller Status