Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:10448 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94124 invoked by uid 1010); 14 Jun 2004 17:52:40 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 94084 invoked by uid 1007); 14 Jun 2004 17:52:39 -0000 To: internals@lists.php.net Date: Mon, 14 Jun 2004 20:51:47 +0300 Organization: none Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.50 (Win32, build 3778) X-Posted-By: 217.23.116.150 Subject: basename() memory access violation From: valyala@tut.by ("Alexander Valyalkin") Here is patch for basename() function, which prevents possible memory access violation: =========cut========= --- string.c Thu May 13 20:44:32 2004 +++ string_basename.c Mon Jun 14 20:43:33 2004 @@ -1079,9 +1079,9 @@ /* strip trailing slashes */ - while (*c == '/' + while (c >= s && *c == '/' #ifdef PHP_WIN32 - || (*c == '\\' && !IsDBCSLeadByte(*(c-1))) + || (c > s && *c == '\\' && !IsDBCSLeadByte(*(c-1))) #endif ) c--; @@ -1092,10 +1092,10 @@ } #ifdef PHP_WIN32 - if ((c = strrchr(s, '/')) || ((c = strrchr(s, '\\')) && !IsDBCSLeadByte(*(c-1)))) { + if ((c = strrchr(s, '/')) || ((c = strrchr(s, '\\')) && c > s && !IsDBCSLeadByte(*(c-1)))) { if (*c == '/') { char *c2 = strrchr(s, '\\'); - if (c2 && !IsDBCSLeadByte(*(c2-1)) && c2 > c) { + if (c2 && c2 > s && !IsDBCSLeadByte(*(c2-1)) && c2 > c) { c = c2; } } =========cut========== -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/